cd785b7ac2bef1be6e4eeab4b20e8475470bb9b53aa16b2ba475168009964b95

Analysis

max time kernel
146s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd785b7ac2bef1be6e4eeab4b20e8475470bb9b53aa16b2ba475168009964b95.exe
Size

109KB
MD5

16ed0ce38768450a96ab098de6f906c9
SHA1

83297bf87eb019788f3d23b4c606c38d49690812
SHA256

cd785b7ac2bef1be6e4eeab4b20e8475470bb9b53aa16b2ba475168009964b95
SHA512

67013fa7feeb0c5d54bb455cb287d3ec424b2291cae26173b02b6c408bc34224a65956e19bc4f6dff3da24a59977736144514a4cdcaae57372d2ff08c0811a0b
SSDEEP

3072:NYBEJwUEpNcHlk3ntVaS7+imKuSW6ehj7u8fo3PXl9Z7S/yCsKh2EzZA/z:NDNmaS8j7ugo35e/yCthvUz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cd785b7ac2bef1be6e4eeab4b20e8475470bb9b53aa16b2ba475168009964b95.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe

Executes dropped EXE 64 IoCs

pid	Process
1004	Dadlclim.exe
2428	Djlddi32.exe
4608	Dcdimopp.exe
4292	Debeijoc.exe
4160	Dllmfd32.exe
1412	Dokjbp32.exe
680	Daifnk32.exe
4012	Djpnohej.exe
5100	Dlojkddn.exe
228	Domfgpca.exe
3344	Dakbckbe.exe
4908	Ejbkehcg.exe
3552	Elagacbk.exe
1636	Epmcab32.exe
5032	Eckonn32.exe
1604	Ebnoikqb.exe
4044	Ejegjh32.exe
2416	Ehhgfdho.exe
4896	Elccfc32.exe
4884	Eoapbo32.exe
2724	Ecmlcmhe.exe
4144	Ebploj32.exe
4504	Ehjdldfl.exe
4900	Eleplc32.exe
1720	Eodlho32.exe
1644	Ehlaaddj.exe
3036	Eofinnkf.exe
4456	Ebeejijj.exe
4968	Ehonfc32.exe
1148	Eqfeha32.exe
5008	Fhajlc32.exe
1236	Ficgacna.exe
4988	Fomonm32.exe
4480	Fbllkh32.exe
3400	Fqmlhpla.exe
2984	Fckhdk32.exe
3160	Ffjdqg32.exe
4552	Fmclmabe.exe
2088	Fjhmgeao.exe
3780	Fmficqpc.exe
1016	Fodeolof.exe
4732	Gjjjle32.exe
4716	Gmhfhp32.exe
912	Gqdbiofi.exe
3268	Gfqjafdq.exe
1300	Gcekkjcj.exe
1568	Gfcgge32.exe
3416	Giacca32.exe
2264	Gcggpj32.exe
1944	Gfedle32.exe
2596	Gjapmdid.exe
4436	Gfhqbe32.exe
2112	Gifmnpnl.exe
1520	Hboagf32.exe
2464	Hihicplj.exe
1884	Hapaemll.exe
3876	Hcnnaikp.exe
2196	Hbanme32.exe
812	Hjhfnccl.exe
1480	Hikfip32.exe
3112	Habnjm32.exe
4548	Hfofbd32.exe
2204	Himcoo32.exe
928	Hpgkkioa.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ficgacna.exe	Fhajlc32.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fbllkh32.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ebploj32.exe	Ecmlcmhe.exe
File created	C:\Windows\SysWOW64\Ehjdldfl.exe	Ebploj32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nkklocjg.dll	Epmcab32.exe
File opened for modification	C:\Windows\SysWOW64\Ehlaaddj.exe	Eodlho32.exe
File opened for modification	C:\Windows\SysWOW64\Fqmlhpla.exe	Fbllkh32.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hihicplj.exe
File opened for modification	C:\Windows\SysWOW64\Domfgpca.exe	Dlojkddn.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Eofinnkf.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Giacca32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jehocmdp.dll	Djlddi32.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Dlojkddn.exe	Djpnohej.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Elccfc32.exe	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Fbllkh32.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Lcglnp32.dll	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Eceakm32.dll	Dadlclim.exe
File opened for modification	C:\Windows\SysWOW64\Eckonn32.exe	Epmcab32.exe
File created	C:\Windows\SysWOW64\Fhajlc32.exe	Eqfeha32.exe
File opened for modification	C:\Windows\SysWOW64\Fodeolof.exe	Fmficqpc.exe
File opened for modification	C:\Windows\SysWOW64\Gqdbiofi.exe	Gmhfhp32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Dadlclim.exe	cd785b7ac2bef1be6e4eeab4b20e8475470bb9b53aa16b2ba475168009964b95.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Gjjjle32.exe	Fodeolof.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	Gfedle32.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Eoapbo32.exe	Elccfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Bgdnaigp.dll	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Ddomph32.dll	Debeijoc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7164	6420	WerFault.exe	279

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdnaigp.dll"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epmcab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Elagacbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjdddho.dll"	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmlbfpm.dll"	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1004	2136	cd785b7ac2bef1be6e4eeab4b20e8475470bb9b53aa16b2ba475168009964b95.exe	89
PID 2136 wrote to memory of 1004	2136	cd785b7ac2bef1be6e4eeab4b20e8475470bb9b53aa16b2ba475168009964b95.exe	89
PID 2136 wrote to memory of 1004	2136	cd785b7ac2bef1be6e4eeab4b20e8475470bb9b53aa16b2ba475168009964b95.exe	89
PID 1004 wrote to memory of 2428	1004	Dadlclim.exe	90
PID 1004 wrote to memory of 2428	1004	Dadlclim.exe	90
PID 1004 wrote to memory of 2428	1004	Dadlclim.exe	90
PID 2428 wrote to memory of 4608	2428	Djlddi32.exe	91
PID 2428 wrote to memory of 4608	2428	Djlddi32.exe	91
PID 2428 wrote to memory of 4608	2428	Djlddi32.exe	91
PID 4608 wrote to memory of 4292	4608	Dcdimopp.exe	92
PID 4608 wrote to memory of 4292	4608	Dcdimopp.exe	92
PID 4608 wrote to memory of 4292	4608	Dcdimopp.exe	92
PID 4292 wrote to memory of 4160	4292	Debeijoc.exe	93
PID 4292 wrote to memory of 4160	4292	Debeijoc.exe	93
PID 4292 wrote to memory of 4160	4292	Debeijoc.exe	93
PID 4160 wrote to memory of 1412	4160	Dllmfd32.exe	94
PID 4160 wrote to memory of 1412	4160	Dllmfd32.exe	94
PID 4160 wrote to memory of 1412	4160	Dllmfd32.exe	94
PID 1412 wrote to memory of 680	1412	Dokjbp32.exe	95
PID 1412 wrote to memory of 680	1412	Dokjbp32.exe	95
PID 1412 wrote to memory of 680	1412	Dokjbp32.exe	95
PID 680 wrote to memory of 4012	680	Daifnk32.exe	96
PID 680 wrote to memory of 4012	680	Daifnk32.exe	96
PID 680 wrote to memory of 4012	680	Daifnk32.exe	96
PID 4012 wrote to memory of 5100	4012	Djpnohej.exe	97
PID 4012 wrote to memory of 5100	4012	Djpnohej.exe	97
PID 4012 wrote to memory of 5100	4012	Djpnohej.exe	97
PID 5100 wrote to memory of 228	5100	Dlojkddn.exe	98
PID 5100 wrote to memory of 228	5100	Dlojkddn.exe	98
PID 5100 wrote to memory of 228	5100	Dlojkddn.exe	98
PID 228 wrote to memory of 3344	228	Domfgpca.exe	99
PID 228 wrote to memory of 3344	228	Domfgpca.exe	99
PID 228 wrote to memory of 3344	228	Domfgpca.exe	99
PID 3344 wrote to memory of 4908	3344	Dakbckbe.exe	100
PID 3344 wrote to memory of 4908	3344	Dakbckbe.exe	100
PID 3344 wrote to memory of 4908	3344	Dakbckbe.exe	100
PID 4908 wrote to memory of 3552	4908	Ejbkehcg.exe	101
PID 4908 wrote to memory of 3552	4908	Ejbkehcg.exe	101
PID 4908 wrote to memory of 3552	4908	Ejbkehcg.exe	101
PID 3552 wrote to memory of 1636	3552	Elagacbk.exe	102
PID 3552 wrote to memory of 1636	3552	Elagacbk.exe	102
PID 3552 wrote to memory of 1636	3552	Elagacbk.exe	102
PID 1636 wrote to memory of 5032	1636	Epmcab32.exe	103
PID 1636 wrote to memory of 5032	1636	Epmcab32.exe	103
PID 1636 wrote to memory of 5032	1636	Epmcab32.exe	103
PID 5032 wrote to memory of 1604	5032	Eckonn32.exe	104
PID 5032 wrote to memory of 1604	5032	Eckonn32.exe	104
PID 5032 wrote to memory of 1604	5032	Eckonn32.exe	104
PID 1604 wrote to memory of 4044	1604	Ebnoikqb.exe	105
PID 1604 wrote to memory of 4044	1604	Ebnoikqb.exe	105
PID 1604 wrote to memory of 4044	1604	Ebnoikqb.exe	105
PID 4044 wrote to memory of 2416	4044	Ejegjh32.exe	106
PID 4044 wrote to memory of 2416	4044	Ejegjh32.exe	106
PID 4044 wrote to memory of 2416	4044	Ejegjh32.exe	106
PID 2416 wrote to memory of 4896	2416	Ehhgfdho.exe	107
PID 2416 wrote to memory of 4896	2416	Ehhgfdho.exe	107
PID 2416 wrote to memory of 4896	2416	Ehhgfdho.exe	107
PID 4896 wrote to memory of 4884	4896	Elccfc32.exe	108
PID 4896 wrote to memory of 4884	4896	Elccfc32.exe	108
PID 4896 wrote to memory of 4884	4896	Elccfc32.exe	108
PID 4884 wrote to memory of 2724	4884	Eoapbo32.exe	109
PID 4884 wrote to memory of 2724	4884	Eoapbo32.exe	109
PID 4884 wrote to memory of 2724	4884	Eoapbo32.exe	109
PID 2724 wrote to memory of 4144	2724	Ecmlcmhe.exe	110

C:\Users\Admin\AppData\Local\Temp\cd785b7ac2bef1be6e4eeab4b20e8475470bb9b53aa16b2ba475168009964b95.exe
"C:\Users\Admin\AppData\Local\Temp\cd785b7ac2bef1be6e4eeab4b20e8475470bb9b53aa16b2ba475168009964b95.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\Dadlclim.exe
  C:\Windows\system32\Dadlclim.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\Djlddi32.exe
    C:\Windows\system32\Djlddi32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\Dcdimopp.exe
      C:\Windows\system32\Dcdimopp.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4292
      - C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4160
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        24⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1644
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        30⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        33⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4988
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        36⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        39⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3780
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        48⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        50⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4436
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        54⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:812
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        65⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        66⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        67⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4920
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3812
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        70⤵
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        72⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        73⤵
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        74⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        75⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        76⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        77⤵
        Drops file in System32 directory
        
        PID:736
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        78⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        80⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        81⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        83⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        84⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        85⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        86⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        88⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        89⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        90⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        94⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        95⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        97⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        100⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        101⤵
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        102⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        104⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        107⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        112⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        114⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        118⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        119⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        120⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        121⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        124⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        126⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        127⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        128⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        129⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        132⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        133⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        134⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6212
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        137⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6292
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        139⤵
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        140⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        141⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        142⤵
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        143⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        144⤵
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        146⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        147⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        149⤵
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6796
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6836
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6884
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6920
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6968
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7004
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        158⤵
        Drops file in System32 directory
        
        PID:7132
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        159⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        160⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        161⤵
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6344
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        167⤵
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        168⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        169⤵
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        170⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7056
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        172⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        174⤵
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        176⤵
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        177⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7088
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        179⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        180⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        181⤵
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6936
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        183⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6420 -s 424
        184⤵
        Program crash
        
        PID:7164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6420 -ip 6420
1⤵
PID:6596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dadlclim.exe

Filesize
109KB

MD5
4cb11f465a57af690fa2e6e961280f9c

SHA1
c3b4f9597015b2054dbecfb874d9501baf5c33b0

SHA256
ac2806c59894eb0b37165751cd29e633c0d4b264efc45944c6fdfab0e046632e

SHA512
b5fcb279443a0a89058c77d076a8b482db44d8bb088549015d38c1d9ee01a80d1db21e7ea4ca62cbfeaa778b58ea174fa5663e3a8f3eb98105910be40cd7617c

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
109KB

MD5
882d39f341e823326dedc6cd2cedf499

SHA1
8ec593503b9247fe861ad7f89fc221d5c86af292

SHA256
8a9a402a6d6b5df7d2daa8a8e07864368b34174617bdf7b999d70effb908707d

SHA512
1598b093eb3a78c1081da79346e700f21e1a8b83a152f0e6b56c6d4ee4e6418aad6638df069271708d836da85c05b27e6fbf715a30fbf7e30d74929b98b65eb2

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
109KB

MD5
9413f9adce8f6c1ca4b5bafe81ac127e

SHA1
45f4a90998e2a9bc06066c1a91e9c831c6efa6dd

SHA256
651776dbef02e7e84fa896259501af2d386f93f5d330b0bfc64eaf2738bc224d

SHA512
bd3468cc58ec80197e1507ebcd827f113f898a8e77ca662ad7bc057fe3df116a9b0477bd4ee3835031e43690bf40b08a57c3d50e2d66b16c839e38aea5ae9f26

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
109KB

MD5
f4c22a2f37a378d5f063afb68db51032

SHA1
8adf0dab49a4c6eee1f811d6336ed714258fdfb7

SHA256
20dbe517772278a31ae71227d5b3df1f5f002386a71c46e007c38c7fa0d3e8b2

SHA512
aeb10f582809aa96d7cbed91a005606ee9a5ef42fa4cabe38b5355c26862cb04f5aaf468baca69a5a0bc2d52e462a98dfb8329d1be9090b2af21a91a1999b4da

Download Submit
C:\Windows\SysWOW64\Ddomph32.dll

Filesize
7KB

MD5
f73de8555be5173f5e7c999a8757d150

SHA1
9e088434c3e690bf1f57b8509ceb8bec69041700

SHA256
7514ffd91c7af966b6cf5863cb2e07957e1b857791d1a7d03225b8b2d2b46490

SHA512
5a408d45d4e7362bed747e46c1b41fba43cb7f29943e3b322e8b766f824f48b2aa054f70f21626842eb7b9d1a2ae7d8e92c283165a2a9bffb422d9427298c248

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
109KB

MD5
d3314225fde3d25085df63c598bdbbc3

SHA1
6016aae8cb2504681405a479152042b3e116dd59

SHA256
93121501f4a9b824b26e6a8a968fdf27dfd8c2bc4f2b18f9ba71dc0d243f4c3e

SHA512
eed8eae0e28dd425f656a9f943968bafe2bcd84d0b746923f08a1220c19814a50c644a4eca1f65b26c26ff9bb8fb91eb6384459bd360e2739080e655c1eacd6e

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
109KB

MD5
be37556ae33c0961bebf3c90e25e7f0a

SHA1
c3c1bb93bbdb03aa83473ec482b3aeca9d71fcc8

SHA256
62559312549525357522fd7d7eae24675c82ce2db9d067be519c12464c49f2e5

SHA512
c62ee177adc680505135fcfa9afef418e318007eaae7272c85a3aa5ec60e726049fc2129c109183a1f78018c393a08ff3ec21de5be9ed68c2ef2d4aa7d060bab

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
109KB

MD5
9053b5d9a6fb78474491b2819b470881

SHA1
559cabe13b3e1499807d0eda396691176ac97d39

SHA256
ce6efbd88ec04448a7b78103fbef4ab04c83912b42807446e736b750a9f21124

SHA512
491acea73ccf97c004c5f595a223d0b35fe073b114887e579ae5ca9b8444dcdff05037ea2f7f01b37cbf5fc6d84422a9e68cb999a3ed0e9ce3ea80320018cae9

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
109KB

MD5
30fbddc02a7702a8a8e93bfc7e119de8

SHA1
5bdcd9841252b027d1fd26ef7931e79f0b98392e

SHA256
da6b0ff2123e7c783a31f5d9798441258ebb76af0a93b87e9ee45fd30d727004

SHA512
2b49b723a9938c3caa06bb0b99ed1017822883d2134f3fae5188a57eb178afd7433f3bfa560012d13f2d92081bde827729361b76766e03b3d52ece955191dcdc

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
109KB

MD5
98f49ffabcd859fa0a5af98b271c0c44

SHA1
f2181a4f056df1718a19d865aa468626c0762889

SHA256
f2836e50da06305ffa8d24f9458b269ddb4fa54c92964bd66b839a762ff21e82

SHA512
35a33a6c3ad09799debb5fae33baacc33c8e97b7492db8bcba1bb0970cd506bb0d776dcb389fc83ff762d26351a91770be43c1fe576b96aa737eb02571e0cba7

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
109KB

MD5
b8a93877026a6773b0cee7d9e1e49a44

SHA1
65e884a88357ed54a308d46808443cea26f9fec4

SHA256
70a1779262fffc3a4deef78cbc2d3340750fd4dfceb536c29a1b042a9ae5ccf1

SHA512
261fca0f7ff07868dbfa1dd0b2b6589cdb663f5dacabbd27504b198b660fac3c1fb0abd2e63d7d821604dceddaf8645e632a8f9e5620a150ec4f51736b106eb5

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
109KB

MD5
2744f297f825925fd4dd0654a6510a3a

SHA1
83d3b34f1158aec724dc55d0310255d493707d6f

SHA256
6359d2dbe95a31b4d56ea74db0ecc47eb6f0a67bf46611e1c3a6fc98070bbc7a

SHA512
fd6b8d53d31d0dddbfe77a7283fd731e97715c0c6fdf9896a94bc231dc2ccde77ab366bf9fea5226ea219a3be259857eb8a1b53110ea52e14529c3314e513b8d

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
109KB

MD5
3682873deeafd3cf0e777555614259f2

SHA1
9f2e5c5ad4d8abcc7f5fe5af56445558fd30b2f8

SHA256
3b9851ba65af9fc018e01e430097b8386994d00c3db6586711242ffe096cc487

SHA512
ae3a54bb09ec38af6fd81d2e35c0a1289f1ad2dada78c271292d0d9ce8214e8447d84fd0cb0ff48ddf8917768284805b7e027c7c0f7efa3b6cdd3c0df8325814

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
109KB

MD5
11921e8702cdfa55954bc69b691b9099

SHA1
cf3488c0c476d30e246d0e3655c81289387cf779

SHA256
d7fea82c14341a4766c564302f699b18bedc15e7f0a3ced5d659717fc02c7a90

SHA512
26a73d8f00abf2801d1990905ad57bf657ec9804e7a69d0ae06ab1d92cb3c2a6d13d1f1946fdc4fa81b787c5880462fdc05e494c8937f56c07ccbd7cfb1c41f1

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
109KB

MD5
d823a5079773420bca9fea186497104a

SHA1
3d0188b359a0eedb73e8a02e2fbe5de1dbb68365

SHA256
0c16b4f8e74e60a82918ba7a6e8aeeba3f381c4aa32ff40f0c4c3dcd56ac54e6

SHA512
a5d4dedc0256f3f4deb1cb277944fe5334e68a4a26b2abbcf57b2484af55246e0b17a6975d6d602153d1ef8832d092055439c2d5291a85589cbe09c99600aedd

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
109KB

MD5
ebf4a30586bdb46388764b25229eb2a1

SHA1
eb1ff0a89b90f022201b599fe6d7fe74951191a4

SHA256
8fcd329fbf908f79b337b76f2cf479261d847cf63c13a5fde5d6df66e50d6931

SHA512
7a0ba7c89a818925ba6bbf113852dc87ed94c63357e347adf4011101f3ca8012733a28843ca098250f4e1bcb20798a12e6f478e917e3a129580c9122eedce808

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
109KB

MD5
6fe18567b6d594fe140a30e82c8a2b74

SHA1
513c503e388766b859febf4de741ffa68684dd28

SHA256
28840a0be6e5ef10727c55e894273938c3a6eff22c96ce06bcbed8933a8880d0

SHA512
ca4119d5514a0bd2fd5c826a4915714d45598964d24e95b6bdc6196a0b2d08aafb51fc6cb8e3a8a6e0ca0f9ba1b08b0b6968fa415525d1226da4ba5c788fdef4

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
109KB

MD5
00f554b2da06874f3fca319b7280f600

SHA1
1dc846202fdb6b74fe7e3c3860566d6e031f181c

SHA256
26d74b0d7a44de5cd02a5de9bbb7338204d7defc0fe16d69283951394605781d

SHA512
35f5db3ac4e230ae59bf24c3e370b0d9a5baae4af11376fadd2b893d4287940b53d43f080ecc1d43687b826116f55860faf3a2a446db0b4b8160fecd20f2d484

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
109KB

MD5
f95c0a769f8c381810dd0d44ee49d5d5

SHA1
0bf28360630a43ecb84a2fa75c46b6cdde6a3534

SHA256
23c11d83b8d4af26d459d152911898afa93c8ac09b84a03f36921c2e91e30604

SHA512
134d93f11eb96b68badcbce6ed1ba091268742271693bbd9bf598fe03647f8f6be5ec0fbd74ae24ec97a3b5f5010c542242b3ab78f68499530bba3f18a3f56b7

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
109KB

MD5
e001c9907d4274f76b088a8e04172536

SHA1
d585922f975242f64fad77132f2400b6da2b4362

SHA256
23054230c3650cbc5dfb3c96f0bd5cc4cc30e197a09c939b26f4ee88785ce8bc

SHA512
ae685e99276db8ad922787a37e814b18a5bd1aab0750d6c2af42d84646b7407b13a45e0572645b93474d481462f8a59e272d755dbbd2f0049f8aa20aa51c2fa5

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
109KB

MD5
052bf6843c58a207e3b186e98ae033a3

SHA1
47fc7710783376b744982798b2a231b90ddeed03

SHA256
9c8a8b838f2a846a6397d077f155ac7ea1573f81d02db099e76295a28d251a70

SHA512
9febab8194f43e0566bb17fd54e19aae1fdd7c9d7f17b211a7edcbcabef5ef3b6371eca37eb96a674c1a6b4032f88b79b3e9dedf7e292f36aba7ad2a35919f63

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
109KB

MD5
719ee4bd27cbf6d8ca5edd27f58bc1b8

SHA1
2185365f9622451b9393692a056af1fed55a2771

SHA256
86bfeb33fa449ba85e6d1fa1f4912fffa7f622ef0630298ed42a2630069f48ec

SHA512
c933a261575bd1c538056be95a6fc349b7f1cf353d600703e7f25da38aa9a2f47d7d31a3e978b1ab4a195157f89f02b314db3aec3a319f4d69935428e101194a

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
109KB

MD5
13f957400350a1b75d11a0ebf95125ed

SHA1
eebdb54a7c5bcdbeeaef4a7e96597b25ed064530

SHA256
6dfe7bb7328018af8848b28262158d10ddee08d305585d3c547f58b871051fac

SHA512
11bb7b3ee7b9a89dca6e17f91e8b6d4c6c4a4c5717b8396fe0ea7427556d00b01752ed43f5c2723f056166cbadda7661f8bc783720a4d327f741506b2e53d5ee

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
109KB

MD5
15caf7c75996d6cb69ab5c8db0352bfe

SHA1
ede03b6eeb315569319aab2c63ee3e7941e3cbec

SHA256
1c735aad7ed5547626997653b222784d55082ca9e10c54df44a6f50774582968

SHA512
fcca36031edd383f8b2a9c6fd1c4bd857e06b30571930e454dcf21f5e77074752b72efd19be0183480c68550390192f2fdec438d7575766433f2f099ef695c53

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
109KB

MD5
b46df2455d935e3e532833e7342f6096

SHA1
08cc0eb2c671ae9a7f57d4cb8cd45a03c6d9d778

SHA256
9c6bab1d775b812e46f5268b7ad7a181fa969ff1032f3ea8f61d4b8d67ceead1

SHA512
c57c8786ff360424c910e35c6e05788a097f44d595536e448ffb3f25c380b70d3271118af947f1d85079110fc64176db0f3701d08c78ba72c324afbe70ca56bf

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
109KB

MD5
e39215fdde8108b8e8fd4d18cee66e91

SHA1
48d945d76a4385d79f00531f194939b0023f64c6

SHA256
988f03daa7ca470cbfd18516af6720ba5abb459561c2c01719e61fdb9599dd2c

SHA512
bcb8c3107b2411e079fd6ecacbd1b5236d3908895c5dd152a2168bd6c219caa1e02f2d76bef368c7a72f9a68ca77daa9d8a25c9c403187f87cb6b40cd87c82c1

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
109KB

MD5
29d83a2a50f2633b7efe73eeba34c646

SHA1
0c19c6c00dc2be77fa9c25774778ebb912982767

SHA256
e847530eca96d9f5720689ebf47d8be39456652b2144a5776bb9d79923031328

SHA512
5918b35df2e4207b0d7ec5529a25364a072207f4f4d6c5f67f924af0ac3a2771ba6b809bce0fa6d10f2fd06c50f7cebc0f4c5349bbf3d08b289c3e120d2bfa6b

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
109KB

MD5
d7e7ecd6b43f53d82aae9b568195c528

SHA1
77a9d36a260ddad8e6f138128049468d1d9758c1

SHA256
57c472998020fa6b9279fe4ed8c6f55b2585ddbec752812a09f0623df31bc5a0

SHA512
3bd686ebbc0427646a3624788ab3d8f610a87c4aa5a470601b2681d025d49d180949b8a2aa8d6d9beef575d122707bc120a42eff3e01869332ddc3133d46e685

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
109KB

MD5
789746a4bab202449e89b4c34d2b1491

SHA1
d6fd19e4c3babfd2e8580cc07cdba38eb3c0e388

SHA256
b3705488dd40d1c25bc859af6f69cc5d5970a214084d946789545204ccbd7566

SHA512
3672675b05d1afd7d99e7fa3f22b70eb429c71c077e0a31065540807b8b95c050b3ee1466306a6abd49a2fd407eca04bd9336fddb4f924174cc2135b20ff1e1b

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
109KB

MD5
709bce5767e8a9ab634efa781767c850

SHA1
e91f352488c617c386a4d1acb42f0df05b9a6f02

SHA256
967079a82d041f7fd8859986a11df43690dc5d0f91ca1c451b23535a6d7a0763

SHA512
70a187823b754da788f8f4fd386b97d662e807f5da476aef22b8673390461305a1df1f2025d85a68781ad838f114104c8734d19d7a41670d20b46d764b949384

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
109KB

MD5
bfc299cf9166ecbbc231890788be99dc

SHA1
b5c2e935c1353a260a41871d8075b57f7559f8af

SHA256
920b114505cf9870e1d0094e9f8d7f49cf43631563f886a903eb75a1ee210498

SHA512
13eab5ad15064c05f656ddb67814bb3f72d5dec9cb8427bf1f496be75fae4a356c87abf0b95be525e240811c49204df7afc18421fd74cb9c2d2a543d8829b3fd

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
109KB

MD5
2e282010d2b359b31989e91ebb574517

SHA1
1ffb969521d9b316647ae90c13d78720bd864b1a

SHA256
531e7ae931a450f69336b525390cbbb6d86e4f9bc981fa36a5cb97aecb9c092d

SHA512
b7d78320c912b9be36a6d67854c9c10fdda91fbbf5e91a2e61144c08a054c879d7b9cce8389e08b4f9b8ac3c59e12be0de7f3953e7afc5ef11e472c571dee410

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
109KB

MD5
17877fc667d053c092126358e3eb8b29

SHA1
4de02e48180a8dbbaad52792477418afefe68ff5

SHA256
091ed02a33204b1ede2017076249871bce07417a115bf4d36337fd356ad8fc8a

SHA512
7c3a67c853ee88b101450359f832711d0726a4444254bca85dd36cfcbac01fa19f71b8d9a86e2a5a389c9beeadf17dbb86f810846255b3dd532d5294178ddaca

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
109KB

MD5
1ceb8878ba9fb819b02f0f7b41ed237a

SHA1
8bbb87bc38d226cb3a0884fd41e35a02fd8302d9

SHA256
be659da67225b86272efd7fe6b188eaa6bde5696d724dcb74f2e1e81ae0e15af

SHA512
9465c389b11e8117b87840bb23395469c90d93bebebbd7563566b005e8ef6f0bc8f1ec27464a1bb6790245fdbf83fb710b84a8f8998f2c463f1fd4a76b677c60

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
109KB

MD5
535a94205c7b40d4e269d5e59e7ae897

SHA1
0f8827e99c46b702fdc7ffcc46840f6b6b15fb71

SHA256
0d0f4fdcce7ad90cce08abc0ac49e2092e7c8a97e7fcad9d5122ab9ca20a2bc4

SHA512
aaeaafbf02b7e6da04697f4d71405b2f30caa05b785f4bcc75e49f03d42f06e9aa1608123ccc21386538e65a345a936edf197f9748300aae0d30121afbf09926

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
109KB

MD5
1092a8a345c6416d6175f558038250a9

SHA1
a491042f885816850ab2cbb8e6ac40e4a1a81787

SHA256
4d4828bef266931b006885872c1947ee2a028e57b13d1852d94882e4d7d9e6a8

SHA512
0d8cefede9b1918d49ade4a127abcb75be6672b8737eff4c4456c5b04af4492fc72d52eae9a50178cf11aae7ce77e4019856ad0351eea79cea9cb6a91d626da9

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
109KB

MD5
41b2db2fe0b11512b1de45a6eed44632

SHA1
9d8c1cec479e91402cff183051511f178ccc8b50

SHA256
8851c3a4cd2a014a23c57834e1c7f14f70cd16d353413c56071336bb4de0d9b5

SHA512
b5e02eced470561adef0bc5d0edda532a415301aa2149664f583a072305f60af5049b94a5d66c04849c9eebe3f52cc9bfa6b3a019dc803c1bbbbd16fb242ab8b

Download Submit
memory/228-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/680-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/680-253-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/912-348-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1004-86-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1004-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1016-328-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1148-251-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1148-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1236-271-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1300-355-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1412-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1412-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1568-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1604-199-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1636-130-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1644-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1720-223-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2088-309-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2136-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2136-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-182-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2428-110-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2428-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2724-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2984-296-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3036-234-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3160-301-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3268-349-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3344-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3400-294-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3552-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3780-321-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4012-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4012-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4044-174-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4144-201-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4160-42-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4160-226-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4292-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4292-208-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4456-237-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-342-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4504-210-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4552-303-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4552-367-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4608-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4608-170-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4716-336-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4732-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4884-196-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4896-194-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4900-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4908-109-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4968-246-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4988-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4988-272-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5008-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5008-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5032-289-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5032-122-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5100-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5100-265-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads