81b85a8668a0f2035fc4470f53941445f5f84c9b4fa46d558f311f1e791dab37

Analysis

max time kernel
137s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81b85a8668a0f2035fc4470f53941445f5f84c9b4fa46d558f311f1e791dab37.exe
Size

81KB
MD5

f959ce6353cd1176c87f7554534e64c9
SHA1

f30b59cf4b85b0eb50b3159ca79ae8184ee85a5c
SHA256

81b85a8668a0f2035fc4470f53941445f5f84c9b4fa46d558f311f1e791dab37
SHA512

cd4452dff9b0122214290786b762b2e1800493bb2b167c4348f37f26f9910d751d0524a7016c1d568aa1d3800357c53184b903b6333bc46f282c21273c60e526
SSDEEP

1536:nGzSVnAmSQ/UFiJ7LLgac0/cEgjPlySYFGtopSqF17m4LO++/+1m6KadhYxU33H8:Gzm1SQ/PJPLP/dgjPLt61/LrCimBaH8f

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibank32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chbedh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfebonm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpofpdgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	81b85a8668a0f2035fc4470f53941445f5f84c9b4fa46d558f311f1e791dab37.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clnadfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmcab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cakjmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhjkdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cedihl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Debeijoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpbaqj32.exe

Executes dropped EXE 64 IoCs

pid	Process
4900	Ccfmla32.exe
4148	Cedihl32.exe
3828	Chbedh32.exe
4884	Clnadfbp.exe
4560	Cpjmee32.exe
684	Cakjmm32.exe
4972	Cibank32.exe
4576	Clqnjf32.exe
1468	Coojfa32.exe
1168	Ceibclgn.exe
1400	Chgoogfa.exe
2532	Cpofpdgd.exe
440	Ccmclp32.exe
3056	Cekohk32.exe
4352	Dhjkdg32.exe
3584	Dpacfd32.exe
4924	Dcopbp32.exe
3964	Diihojkb.exe
4840	Dhlhjf32.exe
1068	Dpcpkc32.exe
2664	Dadlclim.exe
2336	Dhnepfpj.exe
4348	Dpemacql.exe
628	Dcdimopp.exe
1148	Debeijoc.exe
2132	Dphifcoi.exe
3312	Dcfebonm.exe
4076	Dhcnke32.exe
532	Dpjflb32.exe
3228	Domfgpca.exe
3068	Dakbckbe.exe
3436	Epmcab32.exe
3132	Ebnoikqb.exe
1736	Ecmlcmhe.exe
4380	Ebploj32.exe
1640	Ejgdpg32.exe
4480	Eodlho32.exe
1908	Ecphimfb.exe
916	Ebbidj32.exe
4868	Ehlaaddj.exe
4012	Eqciba32.exe
4376	Efpajh32.exe
4516	Ejlmkgkl.exe
4692	Eqfeha32.exe
1376	Fjnjqfij.exe
4400	Fhajlc32.exe
4856	Fjqgff32.exe
3152	Ficgacna.exe
4984	Fqkocpod.exe
2024	Fcikolnh.exe
4276	Ffggkgmk.exe
3724	Fifdgblo.exe
4084	Fqmlhpla.exe
2424	Fopldmcl.exe
3084	Ffjdqg32.exe
2152	Fmclmabe.exe
3960	Fflaff32.exe
3784	Fijmbb32.exe
3264	Fmficqpc.exe
3664	Fqaeco32.exe
4264	Gbcakg32.exe
940	Gjjjle32.exe
4436	Gogbdl32.exe
392	Gjlfbd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hofddb32.dll	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Gkebcqkl.dll	Cpjmee32.exe
File created	C:\Windows\SysWOW64\Gqpmkibm.dll	Dhlhjf32.exe
File created	C:\Windows\SysWOW64\Dphifcoi.exe	Debeijoc.exe
File opened for modification	C:\Windows\SysWOW64\Dphifcoi.exe	Debeijoc.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Ccfmla32.exe	81b85a8668a0f2035fc4470f53941445f5f84c9b4fa46d558f311f1e791dab37.exe
File created	C:\Windows\SysWOW64\Ikfcpn32.dll	Ceibclgn.exe
File created	C:\Windows\SysWOW64\Dhjkdg32.exe	Cekohk32.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Clqnjf32.exe	Cibank32.exe
File created	C:\Windows\SysWOW64\Lfhilofo.dll	Ecphimfb.exe
File created	C:\Windows\SysWOW64\Ehlaaddj.exe	Ebbidj32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Clnadfbp.exe	Chbedh32.exe
File opened for modification	C:\Windows\SysWOW64\Ceibclgn.exe	Coojfa32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Cedihl32.exe	Ccfmla32.exe
File created	C:\Windows\SysWOW64\Mdmiambh.dll	Dhjkdg32.exe
File opened for modification	C:\Windows\SysWOW64\Eodlho32.exe	Ejgdpg32.exe
File opened for modification	C:\Windows\SysWOW64\Fifdgblo.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Hakfehok.dll	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Domfgpca.exe	Dpjflb32.exe
File created	C:\Windows\SysWOW64\Epmcab32.exe	Dakbckbe.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Ccfmla32.exe	81b85a8668a0f2035fc4470f53941445f5f84c9b4fa46d558f311f1e791dab37.exe
File created	C:\Windows\SysWOW64\Fqaeco32.exe	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gpnhekgl.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Nokakckp.dll	Diihojkb.exe
File created	C:\Windows\SysWOW64\Hqlqig32.dll	Dpcpkc32.exe
File created	C:\Windows\SysWOW64\Fqkocpod.exe	Ficgacna.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Jdhine32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gbjhlfhb.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Iinlemia.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7184	6848	WerFault.exe	287

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmljla32.dll"	Coojfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhlhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhnepfpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepjeoec.dll"	Clqnjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll"	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockmjg32.dll"	Dfdbojmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmggiogn.dll"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	81b85a8668a0f2035fc4470f53941445f5f84c9b4fa46d558f311f1e791dab37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	81b85a8668a0f2035fc4470f53941445f5f84c9b4fa46d558f311f1e791dab37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccfmla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cedihl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagmapfi.dll"	Efpajh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4900	4988	81b85a8668a0f2035fc4470f53941445f5f84c9b4fa46d558f311f1e791dab37.exe	89
PID 4988 wrote to memory of 4900	4988	81b85a8668a0f2035fc4470f53941445f5f84c9b4fa46d558f311f1e791dab37.exe	89
PID 4988 wrote to memory of 4900	4988	81b85a8668a0f2035fc4470f53941445f5f84c9b4fa46d558f311f1e791dab37.exe	89
PID 4900 wrote to memory of 4148	4900	Ccfmla32.exe	90
PID 4900 wrote to memory of 4148	4900	Ccfmla32.exe	90
PID 4900 wrote to memory of 4148	4900	Ccfmla32.exe	90
PID 4148 wrote to memory of 3828	4148	Cedihl32.exe	91
PID 4148 wrote to memory of 3828	4148	Cedihl32.exe	91
PID 4148 wrote to memory of 3828	4148	Cedihl32.exe	91
PID 3828 wrote to memory of 4884	3828	Chbedh32.exe	92
PID 3828 wrote to memory of 4884	3828	Chbedh32.exe	92
PID 3828 wrote to memory of 4884	3828	Chbedh32.exe	92
PID 4884 wrote to memory of 4560	4884	Clnadfbp.exe	93
PID 4884 wrote to memory of 4560	4884	Clnadfbp.exe	93
PID 4884 wrote to memory of 4560	4884	Clnadfbp.exe	93
PID 4560 wrote to memory of 684	4560	Cpjmee32.exe	94
PID 4560 wrote to memory of 684	4560	Cpjmee32.exe	94
PID 4560 wrote to memory of 684	4560	Cpjmee32.exe	94
PID 684 wrote to memory of 4972	684	Cakjmm32.exe	95
PID 684 wrote to memory of 4972	684	Cakjmm32.exe	95
PID 684 wrote to memory of 4972	684	Cakjmm32.exe	95
PID 4972 wrote to memory of 4576	4972	Cibank32.exe	96
PID 4972 wrote to memory of 4576	4972	Cibank32.exe	96
PID 4972 wrote to memory of 4576	4972	Cibank32.exe	96
PID 4576 wrote to memory of 1468	4576	Clqnjf32.exe	97
PID 4576 wrote to memory of 1468	4576	Clqnjf32.exe	97
PID 4576 wrote to memory of 1468	4576	Clqnjf32.exe	97
PID 1468 wrote to memory of 1168	1468	Coojfa32.exe	98
PID 1468 wrote to memory of 1168	1468	Coojfa32.exe	98
PID 1468 wrote to memory of 1168	1468	Coojfa32.exe	98
PID 1168 wrote to memory of 1400	1168	Ceibclgn.exe	99
PID 1168 wrote to memory of 1400	1168	Ceibclgn.exe	99
PID 1168 wrote to memory of 1400	1168	Ceibclgn.exe	99
PID 1400 wrote to memory of 2532	1400	Chgoogfa.exe	100
PID 1400 wrote to memory of 2532	1400	Chgoogfa.exe	100
PID 1400 wrote to memory of 2532	1400	Chgoogfa.exe	100
PID 2532 wrote to memory of 440	2532	Cpofpdgd.exe	101
PID 2532 wrote to memory of 440	2532	Cpofpdgd.exe	101
PID 2532 wrote to memory of 440	2532	Cpofpdgd.exe	101
PID 440 wrote to memory of 3056	440	Ccmclp32.exe	102
PID 440 wrote to memory of 3056	440	Ccmclp32.exe	102
PID 440 wrote to memory of 3056	440	Ccmclp32.exe	102
PID 3056 wrote to memory of 4352	3056	Cekohk32.exe	103
PID 3056 wrote to memory of 4352	3056	Cekohk32.exe	103
PID 3056 wrote to memory of 4352	3056	Cekohk32.exe	103
PID 4352 wrote to memory of 3584	4352	Dhjkdg32.exe	104
PID 4352 wrote to memory of 3584	4352	Dhjkdg32.exe	104
PID 4352 wrote to memory of 3584	4352	Dhjkdg32.exe	104
PID 3584 wrote to memory of 4924	3584	Dpacfd32.exe	105
PID 3584 wrote to memory of 4924	3584	Dpacfd32.exe	105
PID 3584 wrote to memory of 4924	3584	Dpacfd32.exe	105
PID 4924 wrote to memory of 3964	4924	Dcopbp32.exe	106
PID 4924 wrote to memory of 3964	4924	Dcopbp32.exe	106
PID 4924 wrote to memory of 3964	4924	Dcopbp32.exe	106
PID 3964 wrote to memory of 4840	3964	Diihojkb.exe	107
PID 3964 wrote to memory of 4840	3964	Diihojkb.exe	107
PID 3964 wrote to memory of 4840	3964	Diihojkb.exe	107
PID 4840 wrote to memory of 1068	4840	Dhlhjf32.exe	108
PID 4840 wrote to memory of 1068	4840	Dhlhjf32.exe	108
PID 4840 wrote to memory of 1068	4840	Dhlhjf32.exe	108
PID 1068 wrote to memory of 2664	1068	Dpcpkc32.exe	109
PID 1068 wrote to memory of 2664	1068	Dpcpkc32.exe	109
PID 1068 wrote to memory of 2664	1068	Dpcpkc32.exe	109
PID 2664 wrote to memory of 2336	2664	Dadlclim.exe	110

C:\Users\Admin\AppData\Local\Temp\81b85a8668a0f2035fc4470f53941445f5f84c9b4fa46d558f311f1e791dab37.exe
"C:\Users\Admin\AppData\Local\Temp\81b85a8668a0f2035fc4470f53941445f5f84c9b4fa46d558f311f1e791dab37.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\Ccfmla32.exe
  C:\Windows\system32\Ccfmla32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\Cedihl32.exe
    C:\Windows\system32\Cedihl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\SysWOW64\Chbedh32.exe
      C:\Windows\system32\Chbedh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3828
    - - C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
      - C:\Windows\SysWOW64\Cpjmee32.exe
        
        C:\Windows\system32\Cpjmee32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        24⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        27⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        29⤵
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        32⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        35⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        37⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        39⤵
        Executes dropped EXE
        
        PID:4480
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        43⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        45⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        47⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        49⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3084
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        60⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        63⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        64⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        65⤵
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        66⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        68⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        69⤵
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        71⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        74⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        75⤵
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        76⤵
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        77⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        78⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        82⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        86⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        89⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        90⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        92⤵
        Drops file in System32 directory
        
        PID:5768
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        93⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        95⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        96⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        97⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        99⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        100⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        101⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        106⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        107⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        110⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        113⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        114⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        115⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        117⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        118⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        119⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        120⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        121⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        123⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        124⤵
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        125⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        126⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        127⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        128⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        129⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        130⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        131⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        132⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        134⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6092
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        138⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        139⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6252
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        142⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        143⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        144⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6532
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6572
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        148⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        150⤵
        Drops file in System32 directory
        
        PID:6692
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        152⤵
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        153⤵
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        154⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        155⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6948
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6992
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7032
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        159⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        160⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        161⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        162⤵
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        163⤵
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        164⤵
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        165⤵
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6472
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        167⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        169⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        170⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6884
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        172⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        173⤵
        Modifies registry class
        
        PID:7028
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        177⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        178⤵
        Modifies registry class
        
        PID:6460
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        179⤵
        Modifies registry class
        
        PID:6596
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        180⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6860
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        182⤵
        Modifies registry class
        
        PID:7016
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        185⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6776
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        188⤵
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        189⤵
        Drops file in System32 directory
        
        PID:6148
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        190⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        192⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        193⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        194⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        195⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6848 -s 400
        196⤵
        Program crash
        
        PID:7184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6848 -ip 6848
1⤵
PID:6608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
81KB

MD5
4a70d50677c1b97bc1f5d78910fac559

SHA1
0a75b862ca2800989d61ea5843b58ddc7c4271be

SHA256
8c24011690bd4e08d556ae77f3f03e0425aba891af706013794d24d44c1b3e18

SHA512
e3e186628e6d6ab864c2e6b6879e5552c19ec1b111f773798b719559e43a070ede61882e824836ee00e6059415acc1b0d2798a953052abf7192f97e044e0eb60

Download Submit
C:\Windows\SysWOW64\Ccfmla32.exe

Filesize
81KB

MD5
cc33ae77358067af5dbb3879a6e7ad82

SHA1
fbc41c0eadc0f59004c673b2c9ccbf813b101816

SHA256
8c8212925259848ccfe571050c51531fc71e045382c79c13145493d4a7cee79b

SHA512
3281f6b9980b15659abdbfe999a14de34d0fc76276805381e400dd17d852f8ee51579cf162947f77605f6104fa51202b4241532fa07d159c6af01d0f09a66268

Download Submit
C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
81KB

MD5
257885ae20f6055c34cb64f396777780

SHA1
e192c7aa7baf6eb25d5e16010158707b0e49df55

SHA256
2c7864f2bc0c4cd525d3837fb4e3f90a81418f3a79fadd7f0cae1f71b4caf021

SHA512
53f355e8a16a5b2c86875e617a6bb479714295b590419a15aed06887bd9bbc8eae8e3abb4bb5f72768516173949b6d6957c2c371147457445b921e34fc98d051

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
81KB

MD5
b6edf14d94fd8605ea1724d066938e69

SHA1
efe8be8acbef9d8d0a40ef409d93e971f5841d0c

SHA256
a5cdd3ecb6fc8110f68e97e0498df2b3fdb7eb40a4fc24a16cc489885beac440

SHA512
45cf7cbafdf398b3840703160fee563436d8132acb23f6b51485206870760387a3b60f5acabf91e28e426124c75609505613152761542ca9274699bade824f5d

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
81KB

MD5
f67f10f90c704841866319d5376898d3

SHA1
8708ba48dfd7f4f927f5d83be59731880e01c084

SHA256
fecb41841f2bb68768cb0c7904c7707d9d8f6e24719f59e78bbef132ea018ccc

SHA512
047e83f1c06f5678427ad1e40101562bc09de8b8ca614f61e32979001627ac760cbdedbbcd87f0e3bb2fdf1b8a0941ab8c060a882ba191d82b96b38b6fd547ef

Download Submit
C:\Windows\SysWOW64\Cekohk32.exe

Filesize
81KB

MD5
4d9c24091421cc43feb2ba65198eef62

SHA1
43e573036834d43d09fe7655c8fdf78e501c7191

SHA256
f14962e9a715269ed3e52242c0173bb5865e13261ab61ebc867b6e8b373b973f

SHA512
4107cddc54997b831faad2b3ae7714a5c6325c5fe297a8565e6877e9df9b30da602b324f95e661ea320d0feb5f5b61a93a17d7a7fddf5c8002167d682a354446

Download Submit
C:\Windows\SysWOW64\Chbedh32.exe

Filesize
81KB

MD5
4b0266c6c336311e78ded90ea5404b68

SHA1
a7018f624a52227ab2e328f4378b6d537e6980c6

SHA256
fd677b669c1a83a5f5104a1c5d924653f8891e2a83414b5438545fbae38dceb0

SHA512
6138cd7c3fd987ff61a8bb2dbe883825d14f8e3b996e0d76ea1567a7ea4d2c683c93d1cf1e6a40f64295e1ca4a10bf6fb2d1a395abcaf0fad0b417ed53a58d97

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
81KB

MD5
5b04b6c73112b294b416d8e41e9c3cec

SHA1
ab6ff5b2ef54ddcdb3d51b8d9d933854fd5324ef

SHA256
499e25f01c434f1deb03c40c689f500f100a23a129e79eaf104ef59ca46993bd

SHA512
20143c05ff77fea1bb71f5fe93f5e4038d6c1632c252520aacd3a7fd1db8009598270a4bcfe6ad6a90c5860438543a8c40a8ebf1b97af62e96aabcbc2bdb3bb6

Download Submit
C:\Windows\SysWOW64\Cibank32.exe

Filesize
81KB

MD5
0f52bfc8d0fb18ca67c8d1d584724585

SHA1
9af72711717b8aee0bdf3dd29d962821146bb925

SHA256
6f20fe377ac4fc79ef59819b3cb397626d5bee4610549076dd42c98b9bb8e88a

SHA512
86b58561a5c8eaaa47d2f1bf3eaa9cfae5957bb17e90063530dc2c0f992c0c03156a863b47f544f625507327d1e92ac131b9cca379418417a56fd4d07d70b24c

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
81KB

MD5
bc59989f771c55cd25aa7d97e1ca92bb

SHA1
e82d2a2ac80a5792111051153fb978ef7f40bf53

SHA256
814a69d92ffd147ae6104f9ec52477c8f0213c78fcb455b63f7305f812aa0946

SHA512
a580dba45957da23e05688123cbb387558f26557bee7a20ffeeb6683e5a548a4fbf667e567b8f26eeccfc2be4a41b240c9cf8c3608fbea4a6c3fc6b1c4712b48

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
81KB

MD5
437a925b5087d41e68bb7e1bdc63cbe6

SHA1
dbf18acc8ca61846e16036795a57f65febb69b9a

SHA256
8d7edad80a3c1beeea04359f9a9beb2b19e27d31201830986b30c416d79d78c8

SHA512
31b6bb55982ca1ee92bfb86872e404687d53bbb173856df29ae8163becec6f68c8aa7272cdc1ab5b21e55633fd513b68329aaa827d5dd8362f107daff39103b0

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
81KB

MD5
2d0c24723278e06d3191b81233f6a1f7

SHA1
aac1e66795cd6ccc80f47a8d01713273573600df

SHA256
90e6b7ef50b4311e79beffe98cd4e5b2995d0e4540eca21a46ee91cf01cb506d

SHA512
aa6adb104676bac831c540f373da863a5fab32556c29474dde1b4dcdd77e8d36a27e8438a415756ff939b0d1ef25a3c2c6d8976c21c25e64c8d69f5a26052a39

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
81KB

MD5
8d5ec62567e500040b87bf85186d72ed

SHA1
6bda8826f834ade6c97039c3dd473b93e0c88d58

SHA256
a4d440d932208716985673a80110a16bdfb765f58c6fc26eb4a985a9f626402c

SHA512
192443162e08333a8e0a15a400d3a33d9a864275dc583d4e4afe557a324df02c8402f5215fffd75c7f1ca8579685c8e57e68c2429435fa4aa847a142e40b969f

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
81KB

MD5
f89baff3237413f94a8ece845e0bc50d

SHA1
0562eac4c506fe4ea7cc5e2eeffc5503d7e74a1d

SHA256
49fbfe9b2754f4c1c73bad74c24941b3d162467e35264a7d6bd5fd3d060029d7

SHA512
e478b52ca67426d70dcdb1a03f0646e0645730f789340951ea503016f0802fa905feb5c6ad331f14164a4ec151c6c7e1a0586b13bd78c6b96decfd4d380e8920

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe

Filesize
81KB

MD5
3d909b0088703d8ce9061bf935ff7b1a

SHA1
81812cf355ffe11cced796f4936d5896d00cf719

SHA256
52b5db055205e4f4354e8d06e0257215961cf840e2c17e3756f4fa839d41f0a9

SHA512
1dd966a59364fd587cec013ea4b183127dd9db2d316e6ecb2300817903769dcf98b05c9877181c6a20514bfbb2331cc46c5c993a22ac1f3499167037a30e59b0

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
81KB

MD5
3626b44a4985ce45573ebd26cc5992fc

SHA1
54931e878590e9ce3717dcdf3f33bfd0b1aa8f96

SHA256
9c26f013088b295c7600b492cea380d1cdf2bd0ecd58bb58dab24270a3332e6c

SHA512
6ef855005a14052ef8668d3878d91601b843e439c6a6be4399980ac8ff00d8293a482a1aaf7417729e602438b6270ebd3d192802f7adeddd706514233c183574

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
81KB

MD5
fe2d73ca0012d397682cd4435c3ce971

SHA1
41cd0e81991ecd064f39830bd09c4e272f3b08f6

SHA256
08c663188ecf8fccefabb08132d11eea96a0c2f538a22937180df59c993f1b65

SHA512
76d9ddf5ffa1f46b23d3a6ac60f16b1faeb564572313f02d5ba42cacf1370574a7b79f7b9c822e39fc66e8112af7d7dad30359e42730fcfffa0ab4e9f06aa158

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
81KB

MD5
c87d71ef724ec05f1856a6e61578e640

SHA1
26328aee68644dd9f1422be9d26bbac9041f1c93

SHA256
af084e00f28f48a517176e9d5f56c464233dad3241d93eba0176a1306444c3f9

SHA512
31873b5bdd868db5d17da2bee553f7adf6c1a3fe995e52cc3c71355113b7f88771b8859a44e1ac61d62200b1e6458ce407b7660ee3c93d9632da7d08a3007e87

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
81KB

MD5
3762af70b5ddd417865d9f452eec7036

SHA1
d9820a38069d8040289506ad66f35488950a06d8

SHA256
a990b931d3b4314907141a71222c49df57b0ecfc13450788bf2c237c44c1f314

SHA512
50731d9df9b7f7399798015e78f4465203f39dcda5e742274b67b43bc7a648cc3697fde16c2776157cfe7671853eb214a24c55622cccbd85d8af4d7a675ae124

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
81KB

MD5
c8251f217af98075716e62131820daec

SHA1
38628fbd94721b888463140296ed08cdda3a682f

SHA256
312973e720a0a67ed24ff1574be644b91d0a59f02c84ced7ecabbe24eff08aab

SHA512
6e986e7cb4f741281f349d74f3c57409f0528d1cf689c236af7a4e1931c0df06f6d8779f081c90e6990bdb6ebc79eb983d1076d1d03246c45e71372c50545e61

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
81KB

MD5
f22a9447b86a1a7455071efebfa34038

SHA1
9f4bc04c2990d4023769f745789a30e9c606db23

SHA256
75d74ffc05fcf34de88969547ddbb1215badf5ebd637734a1d89becd241aa802

SHA512
b926ef35729bfcc4efd7768b98e2012ebcebe33a9622bbd5454473105ca80c7323068503527709e1e0c2f8f6e55d706113857ca8da54fbf5599b1b450cd4e4ff

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
81KB

MD5
96b5a877671d17e580338ab0fd3c3b0e

SHA1
ca648776d607cb5d5bb3e684a344d6ee5b28d2f7

SHA256
04aea36bb3854a507505ee1ae337892e679be641138aab7d05ce19fbaca83810

SHA512
4acd67d05fa6b2431a586ed154cc5454949d4b40645bb9f6f7b2a4017f5a9bcb8f20e720f83a7ace598b4ea573bda4a5aca9d29b04a65babfb1d7cd1506370a1

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
81KB

MD5
75c0a595659f89389067cb2535c6a476

SHA1
452afba037aded72070b70eebfdfa495c0761ca5

SHA256
e52fc94f46de654948459b328a04c9651acd1129910bb32a6c54775d2e041c66

SHA512
5ba819e3d1adb32fc2223274c7cb58ffca271e96895a29262c5278541c55ec89720fc252f44e4b4d3722f86867e320cb8f4e6142b36455bef17e56b1cda8bc94

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
81KB

MD5
c9652abcb0cdf60b60bc1e1464b46802

SHA1
fb285d0cb1cbe6ac9165b2a8768220b0ee70bf7d

SHA256
ed589dae85cf26b0f0d0c5574f1935423ba9027cd3074df4003d7633c5d903d6

SHA512
d2780826e402fb8ee5a53e84cddc07f7a89d3aebc860c962080fec04157ae1903e5b74226ee8cdeba6d7e911c0279610bc597e7899842792c0a28a713893b626

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
81KB

MD5
19e0b5d928a6d9c05143ff9d854945c3

SHA1
029f7c3fbf12c4e03a7c8e9307b5bde3c11ae655

SHA256
6b79ac28de27636674916857e4707db06b6fd3704fa404ccb39b028c831229ab

SHA512
805f4e2af9eecdf8d0956846b52b299291e8c605e05014bef890801f9344a106224283e096a09f172e36295a5ecd7764bbff532cdf834f586093de64dc5c7101

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
81KB

MD5
42c593e27033d52289e36f153fa3420d

SHA1
db8b2365194022f43ba7e9c6e9edd41d797ace7b

SHA256
5c40f26d3c8f51ed88cf8aa0676d61324e99f4def658c8e4ae32a66ae03062df

SHA512
b931ada6732666a34724bf074fdb6a86e86056d3de4be58ab1b7f64362ef9ff6f7c5947d9776a58b577f2ac9900e3f84563fa92dab700c96eea109673cf074d5

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
81KB

MD5
35c6971154bef0778573e47313aed739

SHA1
2a7bf6d1b1a1c7aeaa81a68caa1451721496f084

SHA256
d05b6bb89580b851849fb588bb3a70208a3074f8ab0fe19d029e6fb6c02f7e45

SHA512
941fd80c002a556614432c51909c172f632ca035252969cefd05b36d70420b9077d6326a90d9722b8053519507dc6d62b4a3878bca964389c33066cc5459bb18

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
81KB

MD5
f33c2245faadf586e222428367a85859

SHA1
a025a2d8ba095f8e8ad54fcf6dfb5220bfa46992

SHA256
980a47096e5ee8c1776d6f90190cf2130dcf171bc006bc3cea4d76e6b732dd41

SHA512
3e584c0b5e22fcc3498231548b7d1a72f9ec319eef3c9197f1d96528200f7cd541319eb32368b2c196d979b0c4ff4dafbd290b42a44b5f83c3e31f27cd86375d

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
81KB

MD5
6e3b1c167e46532a6aa47120e1409578

SHA1
eb81700179797042dd4799bc81fe648d4fd479b9

SHA256
881fda3ce0356609d96548713acf88c1bb6e44299c473692a1e7df0c8cf1bc21

SHA512
949d3370d173e4fae4ac11bbc7bb5a9a92271d73da243d6ad77a6c4b972af852e33edf28f4133714dd0b3e0ed55f16af60bee4802538b9f0af3f8302a08ebea1

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
81KB

MD5
0581f581bf8519ffd1102d97c71d5c43

SHA1
49514eff2629d972437168213a6cd3feb01c05f9

SHA256
e10f9be0526ecc71202376be3c5c421ea246ea3a6807a0d5ab1809450be0dd7b

SHA512
68261b0db63ebaa3427e4640df2f7ee49a13c3b5437cbf44cee35422de4fdbd9fd7e1b35faa17c2e3ed9f5d632b9e05881b6ad942304a8ecf73585d388be8452

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
81KB

MD5
6e7f58009df5c4836f0a9ac3a4a67fef

SHA1
90c6c0ee7c1f5c39f7664c1ce963836432814d52

SHA256
3b4936425f645324944a7ef1ddfb81f7c3b41d83013f7a95a2ffdffae2a43a17

SHA512
8489520605e5308cbd48fd3ead4d429b0353bdaa74ff3cf4bdb0eb45de627816512fa8d2d69c30ce52c220eb96ac43231a63621878e87e3891221b33d9520366

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
81KB

MD5
65b69d77c1c904e82d2b580a1d61434a

SHA1
666806330668e9110b531029c78498ef1a4ae7a5

SHA256
17ff90baf93e320908d7241959daef27503300df6f76bf39c58d391b36ecbdc3

SHA512
16624d4dace73d2f9b2c5495f633051b25533206fffa13153c2e7b2fef78882deb666957652799aa2a3879aa612f7999e56c586de2499a56af516821cd03bdb8

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
81KB

MD5
26c936035c12c9226f2906301bedb492

SHA1
8a089438dcb1ddf0dfb4340374b8ec6ce940fd13

SHA256
f5cab01c34369a2042512a252e06718970ce39c10b3f49ab97470e07c913a291

SHA512
0927dba71788f0b88da66ba209e3a0d49938fb4e59e9091972677292551ea4aee724a5976b0fe89da1c9639a1dd6249f62e63b63e3ab0931d048e8f880eea621

Download Submit
memory/440-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/532-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/628-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/916-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1376-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1400-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2132-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2532-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2664-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3132-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3152-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3436-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3664-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3724-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3784-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3828-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3960-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3964-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4276-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4352-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4400-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4576-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4840-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4924-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4972-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-6-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5344-1356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6092-1354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6208-1351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6368-1325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6404-1347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6460-1312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6512-1297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6524-1304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6532-1344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6540-1323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6596-1311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6724-1321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6736-1339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6784-1338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6848-1295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6860-1309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6864-1336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6884-1319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6928-1302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6948-1334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7092-1307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads