9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
Size

402KB
MD5

1db5b8cbd6e06f07897914da167fbb6c
SHA1

25ac4b64a699b0656ce2647f6ae133233b569079
SHA256

9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641
SHA512

43d9f4864a18e86dcab54233f15f5a659dca54fee0b0edf55b61d9c510dacc78fd57662ef7920ffd73f398ea8e4e45cf4fb3620b7c83d53c8c57586742b62189
SSDEEP

6144:j6BlZ1DoYPvTpN0xHuwdkAj51VezfHZ3neNZpGkXo+TCCYOs5PHdC:juU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daifnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccjfgphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Digkijmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecmlcmhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ficgacna.exe

Executes dropped EXE 64 IoCs

pid	Process
2316	Cakjmm32.exe
3244	Cibank32.exe
4800	Clqnjf32.exe
1576	Coojfa32.exe
2232	Ccjfgphj.exe
3460	Cidncj32.exe
212	Chgoogfa.exe
2068	Coagla32.exe
652	Ccmclp32.exe
4520	Cekohk32.exe
2040	Digkijmd.exe
4688	Dlegeemh.exe
2608	Dpacfd32.exe
4756	Dcopbp32.exe
2296	Dokjbp32.exe
1888	Daifnk32.exe
4072	Djpnohej.exe
4112	Dhcnke32.exe
3760	Dchbhn32.exe
4412	Ejbkehcg.exe
2860	Ehekqe32.exe
4636	Eckonn32.exe
4252	Efikji32.exe
2404	Eoapbo32.exe
1364	Ecmlcmhe.exe
3572	Eflhoigi.exe
3152	Ejgdpg32.exe
4120	Eleplc32.exe
4444	Eqalmafo.exe
3928	Ecphimfb.exe
5000	Ejjqeg32.exe
2276	Ehonfc32.exe
3840	Emjjgbjp.exe
1480	Eoifcnid.exe
4616	Ffbnph32.exe
1568	Ficgacna.exe
984	Fomonm32.exe
4704	Ffggkgmk.exe
2196	Fifdgblo.exe
4048	Fmapha32.exe
4980	Fckhdk32.exe
2908	Ffjdqg32.exe
3188	Fjepaecb.exe
3724	Fihqmb32.exe
1716	Fqohnp32.exe
2128	Fcnejk32.exe
1232	Fflaff32.exe
1940	Fjhmgeao.exe
684	Fmficqpc.exe
2564	Fodeolof.exe
4652	Gcpapkgp.exe
3112	Gimjhafg.exe
1548	Gqdbiofi.exe
4284	Gcbnejem.exe
4504	Gfqjafdq.exe
3616	Gjlfbd32.exe
5008	Gmkbnp32.exe
4388	Goiojk32.exe
896	Gbgkfg32.exe
1772	Gjocgdkg.exe
2308	Gmmocpjk.exe
4620	Gpklpkio.exe
2256	Gcggpj32.exe
2616	Gfedle32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Qjebnamp.dll	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Bejnmepn.dll	Eleplc32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Ccmclp32.exe	Coagla32.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Dokjbp32.exe	Dcopbp32.exe
File created	C:\Windows\SysWOW64\Fodeolof.exe	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Dpacfd32.exe	Dlegeemh.exe
File created	C:\Windows\SysWOW64\Eckonn32.exe	Ehekqe32.exe
File created	C:\Windows\SysWOW64\Ppgjkamf.dll	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Plbehnol.dll	Digkijmd.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fomonm32.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Coojfa32.exe	Clqnjf32.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nkklocjg.dll	Ehekqe32.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Jingckla.dll	Coojfa32.exe
File created	C:\Windows\SysWOW64\Ekfnlmai.dll	Fqohnp32.exe
File opened for modification	C:\Windows\SysWOW64\Fmficqpc.exe	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7588	7496	WerFault.exe	305

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odhibo32.dll"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Digkijmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpacfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejbkehcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dlegeemh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daifnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dchbhn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 2316	4664	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe	86
PID 4664 wrote to memory of 2316	4664	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe	86
PID 4664 wrote to memory of 2316	4664	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe	86
PID 2316 wrote to memory of 3244	2316	Cakjmm32.exe	87
PID 2316 wrote to memory of 3244	2316	Cakjmm32.exe	87
PID 2316 wrote to memory of 3244	2316	Cakjmm32.exe	87
PID 3244 wrote to memory of 4800	3244	Cibank32.exe	88
PID 3244 wrote to memory of 4800	3244	Cibank32.exe	88
PID 3244 wrote to memory of 4800	3244	Cibank32.exe	88
PID 4800 wrote to memory of 1576	4800	Clqnjf32.exe	89
PID 4800 wrote to memory of 1576	4800	Clqnjf32.exe	89
PID 4800 wrote to memory of 1576	4800	Clqnjf32.exe	89
PID 1576 wrote to memory of 2232	1576	Coojfa32.exe	90
PID 1576 wrote to memory of 2232	1576	Coojfa32.exe	90
PID 1576 wrote to memory of 2232	1576	Coojfa32.exe	90
PID 2232 wrote to memory of 3460	2232	Ccjfgphj.exe	91
PID 2232 wrote to memory of 3460	2232	Ccjfgphj.exe	91
PID 2232 wrote to memory of 3460	2232	Ccjfgphj.exe	91
PID 3460 wrote to memory of 212	3460	Cidncj32.exe	92
PID 3460 wrote to memory of 212	3460	Cidncj32.exe	92
PID 3460 wrote to memory of 212	3460	Cidncj32.exe	92
PID 212 wrote to memory of 2068	212	Chgoogfa.exe	93
PID 212 wrote to memory of 2068	212	Chgoogfa.exe	93
PID 212 wrote to memory of 2068	212	Chgoogfa.exe	93
PID 2068 wrote to memory of 652	2068	Coagla32.exe	94
PID 2068 wrote to memory of 652	2068	Coagla32.exe	94
PID 2068 wrote to memory of 652	2068	Coagla32.exe	94
PID 652 wrote to memory of 4520	652	Ccmclp32.exe	95
PID 652 wrote to memory of 4520	652	Ccmclp32.exe	95
PID 652 wrote to memory of 4520	652	Ccmclp32.exe	95
PID 4520 wrote to memory of 2040	4520	Cekohk32.exe	96
PID 4520 wrote to memory of 2040	4520	Cekohk32.exe	96
PID 4520 wrote to memory of 2040	4520	Cekohk32.exe	96
PID 2040 wrote to memory of 4688	2040	Digkijmd.exe	97
PID 2040 wrote to memory of 4688	2040	Digkijmd.exe	97
PID 2040 wrote to memory of 4688	2040	Digkijmd.exe	97
PID 4688 wrote to memory of 2608	4688	Dlegeemh.exe	98
PID 4688 wrote to memory of 2608	4688	Dlegeemh.exe	98
PID 4688 wrote to memory of 2608	4688	Dlegeemh.exe	98
PID 2608 wrote to memory of 4756	2608	Dpacfd32.exe	99
PID 2608 wrote to memory of 4756	2608	Dpacfd32.exe	99
PID 2608 wrote to memory of 4756	2608	Dpacfd32.exe	99
PID 4756 wrote to memory of 2296	4756	Dcopbp32.exe	100
PID 4756 wrote to memory of 2296	4756	Dcopbp32.exe	100
PID 4756 wrote to memory of 2296	4756	Dcopbp32.exe	100
PID 2296 wrote to memory of 1888	2296	Dokjbp32.exe	101
PID 2296 wrote to memory of 1888	2296	Dokjbp32.exe	101
PID 2296 wrote to memory of 1888	2296	Dokjbp32.exe	101
PID 1888 wrote to memory of 4072	1888	Daifnk32.exe	102
PID 1888 wrote to memory of 4072	1888	Daifnk32.exe	102
PID 1888 wrote to memory of 4072	1888	Daifnk32.exe	102
PID 4072 wrote to memory of 4112	4072	Djpnohej.exe	103
PID 4072 wrote to memory of 4112	4072	Djpnohej.exe	103
PID 4072 wrote to memory of 4112	4072	Djpnohej.exe	103
PID 4112 wrote to memory of 3760	4112	Dhcnke32.exe	104
PID 4112 wrote to memory of 3760	4112	Dhcnke32.exe	104
PID 4112 wrote to memory of 3760	4112	Dhcnke32.exe	104
PID 3760 wrote to memory of 4412	3760	Dchbhn32.exe	106
PID 3760 wrote to memory of 4412	3760	Dchbhn32.exe	106
PID 3760 wrote to memory of 4412	3760	Dchbhn32.exe	106
PID 4412 wrote to memory of 2860	4412	Ejbkehcg.exe	107
PID 4412 wrote to memory of 2860	4412	Ejbkehcg.exe	107
PID 4412 wrote to memory of 2860	4412	Ejbkehcg.exe	107
PID 2860 wrote to memory of 4636	2860	Ehekqe32.exe	109

C:\Users\Admin\AppData\Local\Temp\9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
"C:\Users\Admin\AppData\Local\Temp\9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\Cakjmm32.exe
  C:\Windows\system32\Cakjmm32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\Cibank32.exe
    C:\Windows\system32\Cibank32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\SysWOW64\Clqnjf32.exe
      C:\Windows\system32\Clqnjf32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        24⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        27⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        31⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        33⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:984
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        39⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        40⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        41⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        45⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        47⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        51⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        55⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        56⤵
        Executes dropped EXE
        
        PID:4504
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        58⤵
        Executes dropped EXE
        
        PID:5008
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        59⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        62⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        64⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        65⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        67⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        68⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4396
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        70⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        71⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        72⤵
        Drops file in System32 directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        73⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3536
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        75⤵
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        76⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5044
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4420
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        81⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1904
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        83⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        84⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        85⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        86⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4440
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        88⤵
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        89⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        91⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        92⤵
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        94⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        97⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        98⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        99⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        102⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        103⤵
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        104⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        105⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        107⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        108⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        109⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        111⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        112⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        117⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        118⤵
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        119⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        123⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        124⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5612
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        127⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        128⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        129⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        130⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        131⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        132⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        134⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        135⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        136⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        137⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        138⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        139⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        140⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        142⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        143⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        144⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        145⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6112
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        147⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        148⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        149⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        150⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        153⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        154⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        155⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        156⤵
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        157⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        158⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6388
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        160⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        161⤵
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        164⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        165⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        166⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        167⤵
        Modifies registry class
        
        PID:6708
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        168⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        169⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        170⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6856
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        172⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        173⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6984
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        175⤵
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        177⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7164
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        179⤵
        Drops file in System32 directory
        
        PID:6216
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        180⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        181⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        182⤵
        Drops file in System32 directory
        
        PID:6484
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        183⤵
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        185⤵
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        186⤵
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6888
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        188⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        189⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        190⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        191⤵
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        192⤵
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        193⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        195⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6924
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        197⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        198⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        199⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        200⤵
        Modifies registry class
        
        PID:6808
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        201⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6180
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        203⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7160
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        205⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7180
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7216
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        208⤵
        Drops file in System32 directory
        
        PID:7252
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        209⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7296
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        210⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        211⤵
        Drops file in System32 directory
        
        PID:7384
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7416
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        213⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        214⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7496 -s 420
        215⤵
        Program crash
        
        PID:7588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7496 -ip 7496
1⤵
PID:7560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
402KB

MD5
50ec02b9a14f06209c93fc4c624e6c79

SHA1
00755ebc6e521cf5f95a295b63389a1e56faeb12

SHA256
e23dc3a90e250aefd153ddb578b65b827c3a53027fa06f68201115c0cec45c96

SHA512
099028e58cf3f88216e8aaba0377696108ff0187c61894132eea9534b2e9a6264e32ee48c3cbe851d09066828623d061ed6f95895d5baa31dda3f3b81cac7176

Download Submit
C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
402KB

MD5
74edaabe51734e389b25a94027e2d288

SHA1
795fd7da8989a172c290d7dea8635ed6b811c415

SHA256
d5cc819e8cb33ab335bdb4b440f6b4ecc0299a57e4fbe94533c9f514a9fac5be

SHA512
031dd4e1bc92cd2b010ecc507dec200359622ad0de0924fe9a79b0fbc6145731d3ae6290634b58dab1b699ef3ef478dd67a278bc7b0045d02044667b72356d2f

Download Submit
C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
402KB

MD5
992d89cb4e20275856cc83b4ab4b5690

SHA1
0d34c3b97cf1cd364af831af545d38579f100f04

SHA256
5ae9b7804e031c1a4cc5f2e2d9c1cb9757d0db865992dd06d7dd8d700e91ac02

SHA512
fbbf1479ac48b0b5106ae3eefa325f283f53ab17eec48c7f2c2613ad4f4ff8484bfae9118fb250b23e1cdcc53cfd935137ed4739e4346d65fb097a633c23a1dd

Download Submit
C:\Windows\SysWOW64\Cekohk32.exe

Filesize
402KB

MD5
6005917d602131a48784a0378ff0e39a

SHA1
89344d0ccf4d8779bd1abea46dba40bf8961ee90

SHA256
fc96093f2ff22f4a5e4921101858932b73d2e8240e7a4d0b2ea616e130ef36e9

SHA512
ab0b46cdb37159889f249b2e35f52cf3b2913a5f76a2e42966dc424b7ad84a4d9619ba717a560a28725cb0a2cb859995985c8f3123d1e5804c783c0984615d8c

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
402KB

MD5
23634ee8be638d918a22aa9d0dde0e0f

SHA1
25d6321ac27567aee384e522b14260bc27a128dd

SHA256
f67cf38ca265ac811261c83b5f722134e7674947a7fdab70fc85ca3c56bf7a25

SHA512
712c51532666cbd9862baef3e9bd5d20220da573e8f0529c005f122c58d046db97aa0d115302590ec907080b11314401e51ad92eb5a58169bdb3906db5ba2441

Download Submit
C:\Windows\SysWOW64\Cibank32.exe

Filesize
402KB

MD5
6e5c4cfc8fc82e56fc8d7f9025d0af94

SHA1
f4091b9204747bfdc4cab67a0307c917178127a5

SHA256
0cebef7d09746f5bcd4267e946ec91a7a5a532dfca57a1b26601b5c285da3d7a

SHA512
737bd98c7a29e3d0611f2dbba296b5f1e5b880d0d90f77fa0c2ae0c3ebf4d5bcd2adfecb773101d5093f25a3be2253fbe1db955a6125c9c427c6bf19a83ce7ad

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
402KB

MD5
5896dfee5f0a0a8f40358614291b0f78

SHA1
7ee4a53821896d932aad99010275d47cd8ff34e9

SHA256
5a567d70ce3a2be7932de85b193332d62340544b8a8a651f089194e948a2a153

SHA512
5066cfdb38da2d42ede2d3e928e1f8a35e03764a23ae04f80854ff3502160c5e15b3bb939134256fb8d42b7410ad510dbc33cbacdd0910a3c613a89c94cee1ce

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
402KB

MD5
c0086db957e61ca997f4a03f76f9f3f3

SHA1
f778a50464b655e8993f19c5e1bd39962b9d9709

SHA256
cf2a3c0f6779666ae6474dec986eb80dbd3bbfef41fc2b8700ac5d33f6624ca5

SHA512
cf3dcc145d1460b0aa2c6d38dc002d42ec8ec21b1be625887b50ed37fb18932b0083347350994b9e269ac407a2903346557d69adf36e79ef5cfec99e23ff424d

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
402KB

MD5
a14a7f834568b1698ffae68257d0504d

SHA1
01464258d632c893292c200772603737007d6802

SHA256
c2986554278c54fcf7f4411bd060bbc0d40675bee8ca33fbec6fea7abbc0fe74

SHA512
06fe321487a2c95e6a42bd167c4e63a92a76f18a3783f79ebd7b34d182bf3fcfebeb9fb51556d7eb9c0dff733762dbfc104a51643c0307d15a87f6ad9dc8d75d

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
402KB

MD5
01f95b9ad19c566fef5407aafe7b2aba

SHA1
83eabf0f3105d4284e342f24d7e3913006406c92

SHA256
4052b6f760525af0a7bdacc55299bee7c8a1773ae11e6eba08f175805313650b

SHA512
73a05b188e4c65be2c6ba7185cdf9412a588685a284e69acc2d89900cca2551a2ea0e14513f4b02e23cb1800ae760d812250d29fc82c3ab1760daa01fc55831f

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
402KB

MD5
a2d815727702b8acf9fcc4f6d6a3ed0c

SHA1
d79e28313571d37f9cb5482bfcaef469c60756ce

SHA256
6308276433297121e789439ba4e96f3d31244ecf53d41db284da225570fb4d6c

SHA512
ac975bd2e842655273b591fe202ac96ae4702ca8f6cff54ccffed9969b3a7fd9cf340fb811fb62059dfbb2248c4fca87957fc720ee0e7632fa6acd8c063f024a

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
402KB

MD5
761b3c20ef8e3351817d382c90d97d44

SHA1
f1eb6de9b1aa019684b21334ba69a582f6051896

SHA256
cef4ba7d2586193625e53133255dfd16a5978db3f41caabca6e846ec7770dc90

SHA512
dbfaf96f956636055f19e226ede586d811b3b97891186ff6ca3cc24a47121518419a321163516452822988fb635f7b0805887bbef9ec5cb7dbf256a82279d33c

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
402KB

MD5
572df5b523c3b03a829f499d5cb23c3b

SHA1
38baba5898e945d9159be8862a8ee9ae93854ba8

SHA256
aaf859845307787919f4550d341b7249c2e59234788f2996b0b751e97d1d4cc9

SHA512
5dff34342e4ab6dec8fac47013cdd582b6c4a4703972063e45154863ecb648b104e0ea0dcbb9d2547dd4abe4a02f33e394c8f5ebfa6d04dcd8d4566d8ef1eb96

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
402KB

MD5
628c2545957f2597e0cd3cabe66fe312

SHA1
aa59a4d5f01e1459b6132845ae25d6ff2ea55e0a

SHA256
4d6384868722c7bd9781a6c54e675dea094cfbf66a6defb8efdaeab164548d0a

SHA512
af9f62eb28e6253878fdb6ae1fd16aeb00863ec002646fab3c5fa7855622c14c4199c1406f4578d3005d555da19289c285ab295accfb0ef22c8400dcbf4bfdb4

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
402KB

MD5
1cb458eda6629b48d9be336e1b6cdd83

SHA1
d030ef21fe4fdb786032ee16bb821154b4da757d

SHA256
cb0143a48b6c64c344c2054af8f2b34b36fc7b0759b6ef29446cd9dcdef99136

SHA512
d3e55ddedbf383cb735dfc8d7846a8b681cbff173831ef0c95650569d21c6649cc39cb948f990768a278076812305f1b59676eb2309a3b2a16a186ca991e3985

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
402KB

MD5
b277c2165bc5611000d49b68b0795179

SHA1
40a88442c2a2f0702341918ab76fd37d53dac90b

SHA256
9c4334f730ef564fd791d111d9a9b24338781165dd4912606b4821d2750647a1

SHA512
9a493cfdcc1d24029163af0f6832d03a18cb7fffaea57f354a8d0fdcb39064d7f8bd5ea7c9b4cc456abed2f4893531d25efe8cc3452fe1fcf48e01b92d9b1a11

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
402KB

MD5
ce1768e710b8046cf45047334ffdbd9c

SHA1
923738a0cff9d9383d072435e6463e6d5ccbc06c

SHA256
558cc6f185bae3be3aedd509efd1e3f2ecc73625d958f4cc1b5f2b2207c3df24

SHA512
9ba986e1cec705e50688891eb76812c1e2a84bb9502db63ad4a0edf71c93387ed5791521830f066b5e3ea81a7f0cc6817084a51ed7e2581d9293d14636edb63f

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
402KB

MD5
4c95759544fc58ec0b557be853d32aa5

SHA1
b6afd00c323a5ea58999ba24865126119210dce9

SHA256
71b02b538f257463ac7bb9024e3a062f54925d989e353652bec32ad650fdc336

SHA512
3db1d7d75790acccb48d44701a9f37ce3d93ac254111a9983d077b8a187f31b42b5ce6d1a7b723637ed314becd8061fe1546040a389390ed726ff7a8985d5031

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
402KB

MD5
76b9410513ed8a06070367774f7a638d

SHA1
6a935026d49f327b3e54075737c1b942dad0dba4

SHA256
f9d49d1a396902b56ad7103e6e40dd2c023391d5b6705296e3cbc5371819e95d

SHA512
060ab1be117728e5ac994fa1c43b5d3fb2285c26670d30df72f54841836188f8448bad1ea780e362573ff84985fc1c8440e4edaf4eb3b165f86025318d7541d3

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
402KB

MD5
ba7de9ccc7a8b625c18495ca8a312af0

SHA1
0004e75644c9565373ccc9a0c2731992e7df6580

SHA256
d20fde96bee569ab8b2c6453c40c088f54a20d950b7ececbeffe9374793aa081

SHA512
4e9d9bfc51f4b6746fddcbca60c21902dd460adfd067e7fbbd4a3d18ca0877437469f2b590f2db1cc5e414d3cebac9e9368817cd4df0f7843cb07dcecc7bf55b

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
402KB

MD5
243046b658bb65edb4b78c6df7c22e69

SHA1
fd07bb0401e9d2931ed48b026f2d45d049d8ff23

SHA256
67d9bbd38028452d0f9167be705a5587cba1268d8691f93697d8cfa65fb348d3

SHA512
a0010fbae6b876d32193ae1a33b9465d8362224c7a3d5c970c3cd3a698f010d47445c02f61d426f146a7f94522b0f80a57929e5f92f9e843e9dd0efde328c51a

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
402KB

MD5
09cf9a6469d0d0eb7c526c0a9e606634

SHA1
7c2002fab4a9b356c2c9f7aade575258badcdf43

SHA256
4f478b983d0a026e94639b1aceb5da8a8144084338f427e178ab3af82e0ad358

SHA512
466d6e74a2132ddaa375c36eedf76f17272a7d765c0dd4a0c87faf970db95d68afa8fa0318d219848ac2aae07964e5d0e73195aecbf32050d4c979d234beed29

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
402KB

MD5
e593f1e5c34bc5196910076e2710dea2

SHA1
55c523945c669c523e55a21ac1d2f5cfe8dbb252

SHA256
acb4df471d1257769b6fb9c996d1236bc30d10404eb9699b5bda35eb93a3d090

SHA512
f9944050da4ad79bcc41101d0967e01bf8b495a4806253d1fee355662cb4d37e8c3838bdf96b0769e2b85f00e530bbe2bd4af375bba0d08286316f2f37c56cd8

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
402KB

MD5
3e47c75aa0d0937d83c211949bef9ba6

SHA1
46b657b201dac5604a2eb6391a85ac50848cadbf

SHA256
e825f5593a6aa55b73cd2912ffc226fcb68bad8b816b8e8d34d24bcb2925e277

SHA512
739188aa3c2664d8b5f8c4ce0e70a771638851ef4fc5f339eef390a286312273c9ec5542abc1439273f7acc4990ee03456e5a7cefa5c86c888bd8db5d2b3ce79

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
402KB

MD5
40579691bc9390db070af95cf33dfbc7

SHA1
7f6dc67bda15ace16bc3556c04a85f0c0adf212b

SHA256
57e5490679dea8511a9f86345f219adb3c0c1d130ef7d41f9bcbc8d7c1597fe6

SHA512
9f042aa1a98f04c7a865dc75b7a8a0f4882f03dc6dcd6b488031ccb0f91247bbc3dfd5e06e9a9c0aefd9c2259d329b1cbb98ace5016e68111205c9be37a01a39

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
402KB

MD5
69120d52f2331c3411cff36d99cc43dc

SHA1
2f8d5bcd320940835aad0de856d135feda5cc047

SHA256
59a6cd302d2206d60e506230ddeb16daf34250cf7d4e85339ff6c57d7570ba17

SHA512
17d9174860d6380b5498920df5e5e44efada34e7004ac637b32e3aa0e7f4f6b859ea33ed329b8867e9475da2116940175893c8de9262df737a50aaf4fbb2cc3b

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
402KB

MD5
b962ee599a64a5b9a9193a0fc61bd034

SHA1
86d3c1a7f891da884c0ac8285b537f449b49cda4

SHA256
eb6fbb8cc09cfc0d4716d5fc828db752da774489cb4082ae2fe76f7ed701ed02

SHA512
54850b775430219c86c10de7d34600049a62d168d44f90ce333db2aa1fb468c4fa3b820136f969d524e952804c57b4e99a972b0fd66597cf779354bd38a0970b

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
402KB

MD5
b60b45efa86ddc1aa239e39be7924728

SHA1
a976c2ac133129403ed46f78e3fa3179ca284c91

SHA256
bc16beb65369d0133c9465fe0620b90e772a7c843b6c60f58778554c247f009d

SHA512
47ee41e4eaa1f31f36411c6a77dc3381569973408ed48c6c0d4483e394b5622acfbc5656cca685fe1964b505871715961a282985e672789bae63ac41505facb3

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
402KB

MD5
f78a1382a626d93762332bbbad7eb0d0

SHA1
03acab920b16cacafee691b8e24e57fae59bf2ac

SHA256
7645bbcef414e68d3fb9ddd8e8d35088ffa18016c280872f0fb2531beb45909e

SHA512
7de71579fdaeb83d6f2cee6853e1b000ff0a87dc253247963a1fda1e054db4d38d57c176e4766b4dee1136a78635c148dca5994b21c3b3537cc8ac44c5662e22

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
402KB

MD5
0d194bfa5fcd3d2d16049169fb5a821b

SHA1
df418c3a7609789487ee169ae9291ffaa53479ae

SHA256
e0725fef5acd59ea761ffd0f50004fcb26b5924d0b9040c74ba9f7abb717ab83

SHA512
e5b163bc7fe9203219a05ee643ba0e8bfbdcc03d091ed5ea4c3c683b8aad2fca8d6e05a3e32f48187305f4c7dbe2411b655bac50a85d58e876290b92a81fb310

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
402KB

MD5
1c9c96a1f33a847b3b13bf3db70a1ebb

SHA1
9b64a5d39ada1ae7df6ac42f31baeaa61c7b77f5

SHA256
c30a6d6a9a50ccdcaf4d019116611f4229639cec54a5dcdaa0687ed637f81810

SHA512
d34da10e6ba2ed418066d53a9ac4a93ca4b07700bda5b72060ad4970de9109d812a388eebf745944f8df91bca5d3749c5a9c971369533ece8c33e66c4a7a2e7b

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
402KB

MD5
83c80ccdadb6ec9bdee0fb4d7ff80b8b

SHA1
791d0182ffd39068d0f941df11306982fa83e029

SHA256
90553635eee7fbc6fad51cf3b140963681f1f1d55046b2ae985ca5ca59a80a1c

SHA512
f6bed2bfde82f8e9b6d1b3c5e68cce319e3875ca63296e08b7221d4c2927075fa06cf91f71bb61b7aa4a043b05f70a8c6e139d7b31c76c0f23aead354177efe6

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
402KB

MD5
e464f01780a00f159cdf0971dee7dd92

SHA1
afde31d3771a0042d7c4a610d6f292b5de00ecb6

SHA256
d7ff936eb5788aceab0dbaed7d13dcd317612f1e3caa6330770c9b78e4303623

SHA512
839965d3c11a2e003224359f0dbf24aba7c2f4bd46d26481917bb3a19d7ad3da366db967b86f27728f889dd3dae231d6fa6104b3e670bc8d0797fb09e713c835

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
402KB

MD5
a50f737e49bb3c0b06038397cd5437e3

SHA1
77637b328a17092f9714f2b8ef899acbdec6de59

SHA256
24465c0a88e0c0ffbabc3069115e3a7f672b060212d065abfc26bb08d2a93b96

SHA512
06aa2fa3f5de28e2dc50c69b5b9ee6caec92f88e4a6f56913a9026ccf7bbfd41002fc954b884916e10bde76e827e0566287671e3c8ce2b9e353c24c8103c3600

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
402KB

MD5
e3e965ac64f091763d0725ca67ed5e12

SHA1
a7949ee6d4465214465f027df56269fd7ad6ee72

SHA256
bde2e066578156747460d4c9e2675c0f1cf5bb4b844028549dbfee9ee7c1bea9

SHA512
aa4ced2f8e8be110343b1391c1c070d1f941750a4a3d7dd922332d33735ca5c6e7723734fcd5f6b1233696f617352c4dd0c4d9cbf883fd55fbead9944ef6abd2

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
402KB

MD5
f02e5689609172fee87c4be047bc2494

SHA1
e1c29cb088720e6e6da90e108dcbccbb8ad62210

SHA256
866ec4edd01a6276dd07bd2e17eade1e18bf56053819edd1e1b98e5eb3a1f4c4

SHA512
4596b07cbab26b388f04522a6819449899897941a07499cc494689520e7f18f686225a3952041dbaddce7119aaabf15009b05b107ea2a1289524c9d0ef66915b

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
402KB

MD5
34b0c6cc0d9dc8a900bf77cddc621c1a

SHA1
ad3ee6041e193e7e5e27323905578dd743ff1144

SHA256
e62598ca8bac7d91fd2c211b97ca1ee547f6cbc82d4b047d92cd617d35159316

SHA512
608ff3d97108bc97c2ea6c54309a498f440d45cb50e94080d33d222ece73541c31ea108a47599fabad12342438661dbaddefbedeb59a7877aa1c8a6d9dbc361a

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
402KB

MD5
cb9a27be29e174667ab9d9ce13bb828e

SHA1
9217b6392a1cec580187a4693159e579bf2ae944

SHA256
661bdb1d6ccf0ffdefffce19fc4a77212ceb083d1997a67ab73199a2b043ed8f

SHA512
14c124039c964a0241c2f2df1f3c1ac47a88ffd64f2a83d51addc19f524a89186efa354ce793a943019cf017b87f9e647f73371ef160a9c9883ab38502425716

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
402KB

MD5
9cdff4fa35c1ab18b5e43ddea552c00b

SHA1
0398f1345290a041100e6e177a90fa344053b1db

SHA256
68c8df765e4a7ebfa37da84eeefd32284cb3a8858f17712a24d30e435fca81e8

SHA512
be096d8cd4be1ad69154659bcfe441ca958603ea993954742555a16450a415b799d7a3eae6af60d29a4d971b498a05fe06a3328db2964ee7af371d70abeb0cc7

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
402KB

MD5
613dbdcd6306f673ef2b743f705d1ea6

SHA1
13a700fcf3bea8eb7c8fca6d6a74e07123a14c48

SHA256
16cf2433ad7170f536dac6b1b08e4ed9c1bcc927e37b9b3b1352dc4e0ff8ca7e

SHA512
f31703d644a91f822cd7f099c9be9de25343f3be2db0e7822963a10cc32dd37a4942afbca1668207ee2166c431d79d337475af45f617d1d0c30d1ad7398d08ba

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
402KB

MD5
c3034299fd2587c852b364a294b11c05

SHA1
82c3e9deccd7da576347e5a66b1fbf4244393a22

SHA256
b74ec7b8db5029e0db15d2b957d75cc1be233796394ad36e01b39edff0ceb828

SHA512
2c33fb0d3569e696d5d83e9ab6dfec762fe1fedbc25e50df5cbce2c1683b650703c34b011b578c0a1648deb383f8fa7f4e231cbfa33644e5c7888bc64bdfb224

Download Submit
C:\Windows\SysWOW64\Hibljoco.exe

Filesize
402KB

MD5
7937b5f8a52c97737a2c192fa685da6b

SHA1
4dbaaa8cebc09dfc8e704a9e51909d7a1e50ec70

SHA256
953dcf5058e358a7a62b65869122d7c54c3ce428f606a11d88d725ec6f02a2f9

SHA512
2c7fa82d48b6ba87d621ca1e46f9e3df5480e14fb055372f4fbb7b03eb1fb5fe4acd2b3321ea3b52c6666dfdc7053d9d7396b0aeffb6c924c61f465e1ebc1bcb

Download Submit
C:\Windows\SysWOW64\Imbaemhc.exe

Filesize
402KB

MD5
62a778fc48711434449908d91bfbab49

SHA1
6c5e8730879adec2d4020a29c7d888aeefc02119

SHA256
9988900522044ec6948ba6a1bcd9a5f65ba49ad70db62e244f20b461922d6cd8

SHA512
93b7db04ed5818c3901b3bb9c645ed5667157d9076a4ff4f64ac3a5a9433eef1de25ed257d95424405f533ff7c050256093bf46e0c52cac550d58871dc125de7

Download Submit
C:\Windows\SysWOW64\Jingckla.dll

Filesize
7KB

MD5
fd67f86364e7b5804f83c96fc256648d

SHA1
7a718f0fafbefb76d50e89c3ab621d69b984b687

SHA256
ade137aac7b91fe0110229261b4d3b0b1b68ec44a69029e4f7f225b8b240fa17

SHA512
b7e7f9e9912dcda9b356c6a3ac6353fc14d0fab03441ff5cf78b283c5fcd0a9e07431ed3cdb5ffed9f1619664ffd6769cff6da437ce5ee21477b032afbafe5f5

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
402KB

MD5
3892612350389a761c0a8436140249e4

SHA1
d29b6a6c0cb2d7d79dc611ce6a181049fce95285

SHA256
57d4ce3a39d87fbd9e5c3148804f80bbe8c543cbd3cafee4a6b2e8411c004017

SHA512
0198eafd86cae5035a5c0972afe05e82fbfe7c12bb0a1ce5ee28d447337f2c18076e10d275e309f449137ef694af32374e716ac165aee5e2d0c473e98033e39a

Download Submit
memory/212-106-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/652-102-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/684-357-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/896-409-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1232-343-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1364-200-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1480-267-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1576-36-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1716-329-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1772-415-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1848-447-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1888-135-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1940-346-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2040-104-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2060-453-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2068-107-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2196-300-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2232-51-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2276-255-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2296-120-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2316-8-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2404-191-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2564-362-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2608-105-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2616-441-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2860-167-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2924-472-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3056-477-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3112-370-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3152-242-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3188-317-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3244-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3264-485-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3460-54-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3536-495-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3572-210-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3616-392-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3724-323-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3760-152-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3840-261-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3928-244-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4048-301-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4072-140-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4112-144-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4120-233-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4396-461-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4412-164-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4444-236-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4504-391-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4520-103-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4616-278-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4620-426-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4636-176-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4652-368-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4664-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4688-108-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4704-289-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4756-112-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4800-24-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4952-502-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5000-246-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5008-401-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5016-460-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5048-479-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads