10f400842811dbd8e1e595263fdde1a8c8dfd6769a3f46bec12a716a20b624de

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51d7986eadd4479eef1da39f9e46e74a.exe
Size

85KB
MD5

51d7986eadd4479eef1da39f9e46e74a
SHA1

b6fde8cda661c91839c084a2b6189d263237b1ef
SHA256

10f400842811dbd8e1e595263fdde1a8c8dfd6769a3f46bec12a716a20b624de
SHA512

854533938d0afc86dedb675ad74359fdd7d797ef465017920fbd2addbebc984a72b345429d1336468ffbafbc9587da6f6ba1e94f10ea0e31f3c623582ed44246
SSDEEP

1536:fk6cYuR6cExOmJQR0vfyk6u72LH2MQ262AjCsQ2PCZZrqOlNfVSLUK+:81QOMQRA6H2MQH2qC7ZQOlzSLUK+

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Commqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clnadfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpofpdgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cipehkcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Debeijoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccfmla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cekohk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chbedh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpnhekgl.exe

Executes dropped EXE 64 IoCs

pid	Process
4960	Cccpfa32.exe
800	Cimhckeo.exe
4356	Clldogdc.exe
4780	Cojqkbdf.exe
508	Ccfmla32.exe
1560	Cedihl32.exe
2140	Cipehkcl.exe
5116	Chbedh32.exe
3568	Clnadfbp.exe
3888	Commqb32.exe
4860	Cakjmm32.exe
2548	Chebighd.exe
3752	Clqnjf32.exe
4192	Coojfa32.exe
2436	Camfbm32.exe
4424	Clckpf32.exe
1288	Cpofpdgd.exe
1084	Ccmclp32.exe
1588	Capchmmb.exe
3036	Cekohk32.exe
1880	Digkijmd.exe
3196	Dlegeemh.exe
4824	Dcopbp32.exe
3256	Diihojkb.exe
2412	Dofpgqji.exe
3092	Dcalgo32.exe
4944	Dephckaf.exe
4460	Dpemacql.exe
2044	Dcdimopp.exe
3716	Debeijoc.exe
2856	Dhqaefng.exe
4548	Dokjbp32.exe
1156	Daifnk32.exe
3868	Djpnohej.exe
4360	Dakbckbe.exe
3756	Ejbkehcg.exe
1876	Ehekqe32.exe
1716	Epmcab32.exe
4444	Eoocmoao.exe
4508	Efikji32.exe
4984	Ehhgfdho.exe
2408	Eoapbo32.exe
5020	Ebploj32.exe
4000	Ejgdpg32.exe
3444	Eodlho32.exe
2932	Ebbidj32.exe
4516	Ejjqeg32.exe
3972	Elhmablc.exe
4708	Ecbenm32.exe
3484	Efpajh32.exe
1412	Ehonfc32.exe
3220	Ecdbdl32.exe
3312	Fbgbpihg.exe
2920	Fhajlc32.exe
3692	Fqhbmqqg.exe
4624	Fokbim32.exe
4352	Fcgoilpj.exe
3384	Fjqgff32.exe
400	Fmocba32.exe
2424	Fqkocpod.exe
4796	Fcikolnh.exe
4076	Fbllkh32.exe
2144	Fjcclf32.exe
396	Fifdgblo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lmbocjjm.dll	Giacca32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Dlegeemh.exe	Digkijmd.exe
File opened for modification	C:\Windows\SysWOW64\Dephckaf.exe	Dcalgo32.exe
File opened for modification	C:\Windows\SysWOW64\Fhajlc32.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Qfiapa32.dll	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fodeolof.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Ehekqe32.exe	Ejbkehcg.exe
File opened for modification	C:\Windows\SysWOW64\Fbgbpihg.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Fcnejk32.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Giofnacd.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Jepjeoec.dll	Clqnjf32.exe
File created	C:\Windows\SysWOW64\Qonnknli.dll	Capchmmb.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Gcekkjcj.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Cccpfa32.exe	51d7986eadd4479eef1da39f9e46e74a.exe
File created	C:\Windows\SysWOW64\Njqijj32.dll	Dcalgo32.exe
File created	C:\Windows\SysWOW64\Lfmona32.dll	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Fqaeco32.exe	Fijmbb32.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Mkomif32.dll	51d7986eadd4479eef1da39f9e46e74a.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Fqkocpod.exe	Fmocba32.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Efikji32.exe	Eoocmoao.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbdl32.exe	Ehonfc32.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Dokjbp32.exe	Dhqaefng.exe
File created	C:\Windows\SysWOW64\Fdcfcpdf.dll	Elhmablc.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Fgpjnm32.dll	Dofpgqji.exe
File created	C:\Windows\SysWOW64\Ohcepmcb.dll	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Fjcclf32.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Lpacnb32.dll	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hippdo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7528	7412	WerFault.exe	325

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Digkijmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogedoeae.dll"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llebfo32.dll"	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmclp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpofpdgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epmcab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcdimopp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Debeijoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Camfbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcfcpdf.dll"	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkomif32.dll"	51d7986eadd4479eef1da39f9e46e74a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfmmb32.dll"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Capchmmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4960	4616	51d7986eadd4479eef1da39f9e46e74a.exe	86
PID 4616 wrote to memory of 4960	4616	51d7986eadd4479eef1da39f9e46e74a.exe	86
PID 4616 wrote to memory of 4960	4616	51d7986eadd4479eef1da39f9e46e74a.exe	86
PID 4960 wrote to memory of 800	4960	Cccpfa32.exe	87
PID 4960 wrote to memory of 800	4960	Cccpfa32.exe	87
PID 4960 wrote to memory of 800	4960	Cccpfa32.exe	87
PID 800 wrote to memory of 4356	800	Cimhckeo.exe	88
PID 800 wrote to memory of 4356	800	Cimhckeo.exe	88
PID 800 wrote to memory of 4356	800	Cimhckeo.exe	88
PID 4356 wrote to memory of 4780	4356	Clldogdc.exe	89
PID 4356 wrote to memory of 4780	4356	Clldogdc.exe	89
PID 4356 wrote to memory of 4780	4356	Clldogdc.exe	89
PID 4780 wrote to memory of 508	4780	Cojqkbdf.exe	90
PID 4780 wrote to memory of 508	4780	Cojqkbdf.exe	90
PID 4780 wrote to memory of 508	4780	Cojqkbdf.exe	90
PID 508 wrote to memory of 1560	508	Ccfmla32.exe	91
PID 508 wrote to memory of 1560	508	Ccfmla32.exe	91
PID 508 wrote to memory of 1560	508	Ccfmla32.exe	91
PID 1560 wrote to memory of 2140	1560	Cedihl32.exe	92
PID 1560 wrote to memory of 2140	1560	Cedihl32.exe	92
PID 1560 wrote to memory of 2140	1560	Cedihl32.exe	92
PID 2140 wrote to memory of 5116	2140	Cipehkcl.exe	93
PID 2140 wrote to memory of 5116	2140	Cipehkcl.exe	93
PID 2140 wrote to memory of 5116	2140	Cipehkcl.exe	93
PID 5116 wrote to memory of 3568	5116	Chbedh32.exe	94
PID 5116 wrote to memory of 3568	5116	Chbedh32.exe	94
PID 5116 wrote to memory of 3568	5116	Chbedh32.exe	94
PID 3568 wrote to memory of 3888	3568	Clnadfbp.exe	95
PID 3568 wrote to memory of 3888	3568	Clnadfbp.exe	95
PID 3568 wrote to memory of 3888	3568	Clnadfbp.exe	95
PID 3888 wrote to memory of 4860	3888	Commqb32.exe	96
PID 3888 wrote to memory of 4860	3888	Commqb32.exe	96
PID 3888 wrote to memory of 4860	3888	Commqb32.exe	96
PID 4860 wrote to memory of 2548	4860	Cakjmm32.exe	98
PID 4860 wrote to memory of 2548	4860	Cakjmm32.exe	98
PID 4860 wrote to memory of 2548	4860	Cakjmm32.exe	98
PID 2548 wrote to memory of 3752	2548	Chebighd.exe	99
PID 2548 wrote to memory of 3752	2548	Chebighd.exe	99
PID 2548 wrote to memory of 3752	2548	Chebighd.exe	99
PID 3752 wrote to memory of 4192	3752	Clqnjf32.exe	100
PID 3752 wrote to memory of 4192	3752	Clqnjf32.exe	100
PID 3752 wrote to memory of 4192	3752	Clqnjf32.exe	100
PID 4192 wrote to memory of 2436	4192	Coojfa32.exe	101
PID 4192 wrote to memory of 2436	4192	Coojfa32.exe	101
PID 4192 wrote to memory of 2436	4192	Coojfa32.exe	101
PID 2436 wrote to memory of 4424	2436	Camfbm32.exe	102
PID 2436 wrote to memory of 4424	2436	Camfbm32.exe	102
PID 2436 wrote to memory of 4424	2436	Camfbm32.exe	102
PID 4424 wrote to memory of 1288	4424	Clckpf32.exe	103
PID 4424 wrote to memory of 1288	4424	Clckpf32.exe	103
PID 4424 wrote to memory of 1288	4424	Clckpf32.exe	103
PID 1288 wrote to memory of 1084	1288	Cpofpdgd.exe	104
PID 1288 wrote to memory of 1084	1288	Cpofpdgd.exe	104
PID 1288 wrote to memory of 1084	1288	Cpofpdgd.exe	104
PID 1084 wrote to memory of 1588	1084	Ccmclp32.exe	105
PID 1084 wrote to memory of 1588	1084	Ccmclp32.exe	105
PID 1084 wrote to memory of 1588	1084	Ccmclp32.exe	105
PID 1588 wrote to memory of 3036	1588	Capchmmb.exe	106
PID 1588 wrote to memory of 3036	1588	Capchmmb.exe	106
PID 1588 wrote to memory of 3036	1588	Capchmmb.exe	106
PID 3036 wrote to memory of 1880	3036	Cekohk32.exe	107
PID 3036 wrote to memory of 1880	3036	Cekohk32.exe	107
PID 3036 wrote to memory of 1880	3036	Cekohk32.exe	107
PID 1880 wrote to memory of 3196	1880	Digkijmd.exe	108

C:\Users\Admin\AppData\Local\Temp\51d7986eadd4479eef1da39f9e46e74a.exe
"C:\Users\Admin\AppData\Local\Temp\51d7986eadd4479eef1da39f9e46e74a.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\SysWOW64\Cccpfa32.exe
  C:\Windows\system32\Cccpfa32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\Cimhckeo.exe
    C:\Windows\system32\Cimhckeo.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Windows\SysWOW64\Clldogdc.exe
      C:\Windows\system32\Clldogdc.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4356
    - - C:\Windows\SysWOW64\Cojqkbdf.exe
        
        C:\Windows\system32\Cojqkbdf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780
      - C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Cipehkcl.exe
        
        C:\Windows\system32\Cipehkcl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Chbedh32.exe
        
        C:\Windows\system32\Chbedh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        23⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        24⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        28⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        29⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        35⤵
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        36⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        38⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        41⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        42⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        43⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        45⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        46⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        48⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3220
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        57⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        59⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        61⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        64⤵
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        65⤵
        Executes dropped EXE
        
        PID:396
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2472
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        67⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        69⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        70⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        71⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        72⤵
        
        PID:384
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        73⤵
        Drops file in System32 directory
        
        PID:968
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        74⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        75⤵
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        76⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        77⤵
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        78⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        79⤵
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3340
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        81⤵
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        82⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        83⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4332
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        85⤵
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1852
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        88⤵
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        89⤵
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        90⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        91⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        94⤵
        
        PID:524
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        95⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        96⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        104⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        106⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        107⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        108⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        110⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        111⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        113⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        114⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        115⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        116⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        118⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        120⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        121⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        122⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        123⤵
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        124⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        125⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        126⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        127⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        132⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        133⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        134⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        135⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        136⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        137⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        138⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        139⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        142⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        143⤵
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        145⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        146⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        148⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        149⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        150⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        151⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        153⤵
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6016
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        156⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6220
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        158⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        160⤵
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        161⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6476
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        163⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        165⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        166⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        167⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        168⤵
        Drops file in System32 directory
        
        PID:6784
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        169⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        170⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        171⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        172⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        173⤵
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        174⤵
        Drops file in System32 directory
        
        PID:7084
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        176⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        177⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        178⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        179⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        180⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        183⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        185⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7032
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        187⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        189⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        190⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        191⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        192⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6580
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        193⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        194⤵
        Drops file in System32 directory
        
        PID:6936
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        195⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        197⤵
        Modifies registry class
        
        PID:6344
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6568
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        199⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        201⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        202⤵
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        203⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        204⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7160
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        205⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6416
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7216
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        208⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        209⤵
        Drops file in System32 directory
        
        PID:7300
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        210⤵
        Drops file in System32 directory
        
        PID:7340
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        211⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7380
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        212⤵
        Modifies registry class
        
        PID:7416
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        213⤵
        Drops file in System32 directory
        
        PID:7456
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        214⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        215⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        216⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        217⤵
        Modifies registry class
        
        PID:7632
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        218⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7672
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7720
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        220⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        221⤵
        Drops file in System32 directory
        
        PID:7808
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        222⤵
        Modifies registry class
        
        PID:7848
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        223⤵
        Modifies registry class
        
        PID:7884
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        224⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        225⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7968
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        226⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:8024
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        227⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        228⤵
        Modifies registry class
        
        PID:8108
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        229⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        230⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        231⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        232⤵
        Modifies registry class
        
        PID:7244
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        233⤵
        Modifies registry class
        
        PID:7316
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        234⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7412 -s 400
        235⤵
        Program crash
        
        PID:7528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7412 -ip 7412
1⤵
PID:7492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
85KB

MD5
96a536ef784a051b465c0d668278e786

SHA1
57b389d320a6f63b50c2e753d2095b887c3e8229

SHA256
159ab9a0f1c4cc527cc522c6b674b1eb839a6fc04140df07181130b08efdabe1

SHA512
a6606c1bbd0a7c906cb589404100c34f24b88fa3718f3dfe93c7cb5a561579986468756789f16f777f9322af5fd087598d8de5e59468f19f764a2de5da7a3a37

Download Submit
C:\Windows\SysWOW64\Camfbm32.exe

Filesize
85KB

MD5
ee14f1c8ef7d686d182531653af5a514

SHA1
c3f448d9023dd0fcb71f6213d9ad48619173c11a

SHA256
37ece897bdb7a9882bb267760f2f35feb4ee1be5272281ebd7a4a13e24ad08ef

SHA512
6360cf06f33bb1cb769cabe2e7e2ed6a2e739fad57e2b1ac4f1558a1639cadeed4a4fd679c058af8ee6ebe3944c792552413c2aa3d681eefbb73fb6912eb6223

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
85KB

MD5
5475dc5bb10dd8bde67fdc6ca4623aa3

SHA1
0b9dfc2a344de8c00cfb9bdc8379d39d19149dd8

SHA256
b4065d0f484c42ea65ae5c4f5eada608c2d159334b626ac26775c27d6a964ae1

SHA512
7fba969a64ad36a665188724c0b8a39f03b8e3ace8316f15e446960e0870e32806286c775228eae5dda4575865024ae22a6d383a7724fec1965a9e7a435276d2

Download Submit
C:\Windows\SysWOW64\Cccpfa32.exe

Filesize
85KB

MD5
1ffeb5a03aeb38c9b07fb2fbae594c21

SHA1
7146cba67b01cd8b919864d2862b1889e983e6a6

SHA256
6078ddbd59a69ac0f19484ee1885d8c9284370a3aca51c61c0ca533a239237b0

SHA512
fa0af49308c35a10ed614c10beb730d22b64ffd86a2630c8013f627bd57089902f9ac6afb0881b5b8c118a4c9f5d83de30d6726c410392187bd827065f5b8b4c

Download Submit
C:\Windows\SysWOW64\Ccfmla32.exe

Filesize
85KB

MD5
9f951d356a6b90d60ab35544332168c6

SHA1
f31ff92040130e92bd0be4144a3df01f6b464de0

SHA256
4083b7d3004ec6b25b1756471121a366ccec7eef06e6a7cc849ca540cfdb1fe8

SHA512
73b027d675c94efa6103869347cff28c9bbc680608f8ef281d5b54573e82533f21a6f930a4fdbfd827e34fc61f7cfc1f27d3b88252dd1a31ddb75438cf21637e

Download Submit
C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
85KB

MD5
cc204bc8f33b7112f092e54e000fe208

SHA1
f68a68e94e7e5bb68434a848ba0dd924f5b8e0b7

SHA256
08dc2806f01ef7a9b706986e2e31088e2686d8c458b74df722e461fa82215461

SHA512
a35ba228b854abe38a3cbb5d78b69c3aa3789ed5bae27a6c7c65618b51d2764d9e9856aa2c6187a56fa78ccd92bae3180557f8f25a5d9d0376360d670cc16e8f

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
85KB

MD5
22e33e17627a2d871933ae6578ca5906

SHA1
f94d3f794ec9d07682788c0a60b3bcf0638ad503

SHA256
8b201aab36dea0d0843c1fa9a158a84177765cad51e977f930bb74112058a65f

SHA512
3330a1d45288461acd5daae1fb059aeb023b0308e69e5b867dc1301b433cf506860bb5cb6793b706fed71258d701eb96b35a5c319e102e3f791fbee69b42a461

Download Submit
C:\Windows\SysWOW64\Cekohk32.exe

Filesize
85KB

MD5
78c11bac6fd3f10eec279751c2adb8dc

SHA1
5aca84d6d07f26e31e7669a3fd7ef2314361e096

SHA256
87597a73944be53cc122b140a2f284e6f97ab98d3a1ff5a639a28b94c603af9f

SHA512
6093b89d9483206c3c3539aece6490e71ea14d9b98d20fb1e0b9df71b3a77cc7a48b13087c5b3203c9030bf01023ad233f65b43cb9b669eaca82abbd38b6249a

Download Submit
C:\Windows\SysWOW64\Chbedh32.exe

Filesize
85KB

MD5
b1de11a430663bd4ba981439a704957e

SHA1
d30130fe9e48e5a4af0524a617d5afa56b4a52a9

SHA256
3170df591e8564d3acb725bd0b1e3c302efc50dbcfcd394583c012fafba4a5a0

SHA512
1f4127b5f66d3ead987b1a9f89f29cd01b17be19ffb4780561ff9dd678feabd96fb8f0e8069c2b8209543057333e8f538c84bf80bda7f778e1ba178ce192cea0

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
85KB

MD5
014ea1c0c82411fa183da922b4d7e175

SHA1
a734671caa0de790512ae37fa5a4a7ceadd156aa

SHA256
c6ec40a895d03d8f5f5f35bcec405544890058c3f5ee2618b77d1dc7288940f5

SHA512
0374ea8a2968315b12d5723c59f07a5ecb8168fb3a0343495cb0c925eaaae02e05745905113e7e9df72e2099e7b55bc910f3ed6478cca0dc8ae66fdff94efbc1

Download Submit
C:\Windows\SysWOW64\Cimhckeo.exe

Filesize
85KB

MD5
48204520bd9a4c1bc3b341a10c48eec3

SHA1
265f47284c7fa817e14077b401c07939d4d74e4e

SHA256
666d5bfb094030d1cc26a2a21701415b7bc37bb66b67d80193a79ce0d2b98c6e

SHA512
906231222eef392e6bd2b64a5a37069745d5314c312798dd9663389a7d0463dea62306d0a0bc4a0f13477098741c19e4d7df979f6d11d4c282416289577eea37

Download Submit
C:\Windows\SysWOW64\Cipehkcl.exe

Filesize
85KB

MD5
3c832325d37344004e5af60472fabc65

SHA1
30d7c30fa9d62a7915095af00c59a05a52ea3216

SHA256
b6599700ddaa01aaa8e2eb7474a18563dc7a531a5c514040912b79ef5946aa5d

SHA512
5eccf99e0cadf5b6cbc28b9bb0c3c5c20f623b68f4a6f0132abf6fa2db9afd9c33f2ea92251a7f60013cffecb381520b39b7e47a748dd76ccc33f4f5a23b2e79

Download Submit
C:\Windows\SysWOW64\Clckpf32.exe

Filesize
85KB

MD5
acd611183befafec41534f5d76134c9f

SHA1
4261d6cca78750dbe916dd1f1513b0bd7acbc3e3

SHA256
860b7fb43109de8c139d65657bb91cda2f62c7945069cbba5628e7b4786abc96

SHA512
c910c4564c45c638d12541d361fa309400e98ad34ad78fc80c5338b08c63be462230fd34a2ab8789218976662e72c7b0f0b202a239bcff6dc38df082b58273f5

Download Submit
C:\Windows\SysWOW64\Clldogdc.exe

Filesize
85KB

MD5
d2caa271ca93fbd794e8c37c48d20a2f

SHA1
520a38cded5af99fe00eead9496ee1d4764f604e

SHA256
9596baebbe524d9fd42d20ce8c84a0ee2a4ef2fdcfd6d7ff79a970c0120f99b0

SHA512
22806c1c4d0e03c271f6290b74f1d4c117b7f64702854f6881a851cafa0d48ff1c674340dedeb079bf5b5bd3f33473e46b4904cd8c0c149beba74775c9a61cec

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
85KB

MD5
665f73ba3042fe9b5935314b3b916d3a

SHA1
5e87965ef3752a6f981711db4c04e5dfd13bddf5

SHA256
6b1535001bb910946372ec328197f4b3e875203cb9ef902882f1b0f8a478993e

SHA512
482574666e88b0a579ee64e1a74697d6d68c1e3da4b217ce5e081de01fa8c7b10d59532603a07bbececcb1399dd549759cd8392407f141e27cbd4d367c288785

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
85KB

MD5
51593c7a9e725384c817b3cadd019c67

SHA1
8b11a22dc4fd17103be7ebcd594a59984189cad0

SHA256
bbee296bd19ad96fdebf25b95a62df2589f69eca08276897ba39ca24946bd3b4

SHA512
d83b59186f85b9f2230da962d64747ef0e7b2a3a286f677d0fd00083085c7b4d4b7d8bdebb17c7e35a7d21362aa69951c2878ee0f8f0443e3a2b6b66ee01c76e

Download Submit
C:\Windows\SysWOW64\Cojqkbdf.exe

Filesize
85KB

MD5
8bb513a1829fca7ea022f5fc559e54cb

SHA1
4cfeb24eb1f4d3251329dd19d7e0047fa280d240

SHA256
4d53ff6fbd847a0b811145030af7e2ff431682ada9a1f6f7baeb7c6dda593c28

SHA512
eda11c7bf136eae9f100b6fcce8b6e46abb54f7372123e3f0fcd12004ecaf8ed86c41601e775ffa72b36a6519c10428ae8a05a8b9f77d1b6d3be6d3e213e12c0

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
85KB

MD5
4620fee4624a8fd1cd0b603cd38e25e7

SHA1
a310cbc1817dcb9d91254434207271b3e9861972

SHA256
dfd5a33685e42146c4b01d77b21b8b7298f9d6461ff6f4f8ea25aa2fdd8837f5

SHA512
c96263779697e660aa4665a7a95d7f75d741b8cd9b2e649b9569fc0c141052529f38aa258e075807a296b6c849b34352de9c95c17afadad31fff67778699f978

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
85KB

MD5
57b6dbea18d0d6bfb7465a8519ea070a

SHA1
2df7632065014af4e15f389097c31511ad27ab92

SHA256
6f20c5ad72d77040c8c7dfb5cb0b374f17080e45395d1a96deb8170180c7a3dc

SHA512
199f406c7dcf047589768ef7b792d4f89e9df6fbbe662d44c3e998de2a3920c7f91ffdb13da6d744c970b8b0205421f7914153baaecea55208e1284e2678f699

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
85KB

MD5
2e241abc35e0b6bf34ed339e6e3d0c4d

SHA1
051b27539ebea8b6b791edc0726e340f1462dbf0

SHA256
c980290fd5af80e205108b1f41f586cc7e145b3956be10bbf2f5c5598ec6ab2b

SHA512
80d8d55e25e1f8b5d3cb2c118877bce460c80d9e6e2d3e1d079d0b255b71bfde0aaf9aa8a6ebc249256027ec29ac4d423535b5b8cb2301aa4a5128a5b61582de

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
85KB

MD5
742ed44dd30ecb8f392dbc0dc223e333

SHA1
25c2f662b0de57c0c434c4ec5a904a702c550599

SHA256
36a25c45d7602ccac5147bd771360ac02a5f8b0a1838e267716198a2eac9d49f

SHA512
0ef7c9310e03829d915411502523e18bb589f5982fd64f2ea2359de33851366a4da0b129fb339cac51e14e14ed58688b06626a4a6e6d378dacacc43b74f9860c

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
85KB

MD5
b42aa1fbe70c4c62a57b36e213ea4275

SHA1
3d02bf6f35fe1b497ef37fb5d5abfbe79455faa1

SHA256
36e3b4eb51fcaa6afb7f5fe487e23ac6b3e27d5f9dc2c2e8c6b0a37204b8d159

SHA512
78327cd8939002968997d9a6a3bea227a76dd2390bb0b25dd8ed428d014d0fe41b5c81fd3ce80e2b61bb448137d9e422f5daf567fea75a97c6d90a2cbc6a00e8

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
85KB

MD5
7a20cd57ecd9cc354598b85d5c73e5fc

SHA1
c11b268dd453fdf2c2a9661b0a3b913f24445814

SHA256
187bd48ef087a5f80035fd4b2a04793830c3f9e4ea5bd5a91d980c0923054d78

SHA512
cbf80db678f7063b7cde078d83618c34e2aaa2df0d84d5502d631a498854e497d0ff46892783004df9259931fd55af9caac3b6642b8f386f6933afae1ff210e4

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
85KB

MD5
7576c2d35c562a2d1ab83182e6c2c27d

SHA1
17e6f3ae8b26b872b673032c8e2f033f684166ef

SHA256
117ca7924010f186264b9b99c1958420a532fa8531e04f26acc786db72a5b51f

SHA512
13f249f3e34b758b866732c032752af0778a28ad99bb5102ac028da99aeb3c0620e4663de72080d402178a9a44f604e3b65598d8035947707531f2e8ba82f4cd

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
85KB

MD5
250af21d263713285542a481f6cb5371

SHA1
0fbef8d3707b2d5c4a1ee2337aab4b2078d58caf

SHA256
1a61cfbf99a8447c5d9d98da6dde5451523f651f3608048c19a5222a87099577

SHA512
a88b727aa0c4929f93a2f8d582d992c042555ad4258367082896a3acb53771efcce5dc24f817ff8604d92421cdf009e53fc1030077407dd197073bdd2a4226cc

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
85KB

MD5
004631ef88a724e6abb7bed9b1b0b4be

SHA1
8716cf9ce0b6a6433f8b3093b99d90471e89fda4

SHA256
9d271943f5153ddb31ac1d7caaa5d49a01e9aabe7c1c6f668800e98c9727fccc

SHA512
ac01f317823d50f3641db283df5d77e3e78c25f0b35d58c26b5ee4102cfde7d1b74085a0c864dbd13336b01bf742574c136ab723e5c532a96891add7ca05f402

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
85KB

MD5
e227b06243a8fdaef2db495078d59331

SHA1
bcea86bbda9787607ec8a5945818017734d9ff08

SHA256
b58e5bc6b0e77dc1905211910def81ebdda6fd4642dc9bf0fa9ae5b2f8f2be7b

SHA512
825335580f5ccbffd14e0e4426558de7d6fc76c325c6a5a2ce538dd16260be429081279c37e43d12c1bed8dc543f6661f3e81bdff161fcc4b158a3a7bff7bd52

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
85KB

MD5
8476bd8964f54881cf904eb8c4a10bd8

SHA1
a1596b6ce2d152514090552e9fbadd7ea86f670a

SHA256
4f2c8c4133c8a84ab66b973a9f7ef102cbc21185aa607e210e85b07a34a8a352

SHA512
1e37761df345909af6a6f7e7c4dbd3b6d9046116cd9f12d050f7f7f87b6903824d042a4b43a871ad15f8df9cc458e3db3f9bd05b9187e81a3a08006685aaffb4

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
85KB

MD5
2e41e9a7722966533007f27d2214342a

SHA1
105afd0107fce29bc1eaa17b6963d9e31c645e9a

SHA256
a6e6834bb970ccfb6e4752b3cc3a68d994c0e004d05634da8ebc9c23da980c83

SHA512
635faf67dda2ab738ff348f2910d11129b9fad4fcc985d149b4baba59a812548266fdc7cbf2bb84baac93f66a56888dbf626937d2a8c5eba0416e0450a056b86

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
85KB

MD5
c312563cfc718b6a1435125c7ab83f4c

SHA1
c167dba5927c8bdee9349c0ad7ce2d7dfa352fcd

SHA256
c65b2f24b2fdaceb72d4add4204e518673ba16da9f3fb272904878ae9e6e32ca

SHA512
f990b69179622fab482d7253cd13a783758faedee306b05c2f5d677d17bb3ff9690be63e2cd7aeffdb2d72feeea8aa0c26396883e29e1399901757db8c62a290

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
85KB

MD5
baf4328dbf010570c0f4c20161e6a8a8

SHA1
a4c539b91a389a485acd9f768c30f266253efa19

SHA256
6e95ffc757ca4774c9f31e6390185392940df59d9b4cfee9ab46911c74ec6bc7

SHA512
9f676cea1f8ba127afad9182a69f883da37a849f0e90784c69b1dc1b9d4c33c32fb8543c0ea84b3a0437773e4fb84d1d66680dec3d2f6edc522bc76075063ffe

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
85KB

MD5
054d843e2041fbf26ba30ccc7d141fbc

SHA1
8a738c8a82a33fbcb89d71c7f247098abdd91904

SHA256
ff3b80bf93a5315d737e0093b16815c954e2b3992020c5b87bda9a7fb7e5e7b2

SHA512
5f10d03d1ffd6b949648a100f7e53724f8c9cce7420459790d25e9df1e69992a469f9acae2a2cef11c899f5aa8836cc4038f6c84c9cb1576039b10488d0170d9

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
85KB

MD5
7453c72d571546ac737c406b6ad72aa6

SHA1
ae859efdf4fc8152593e587cc2bf822d4299ebd6

SHA256
eb3f769c64f70eed5eaa256865fa94ca600eb232966cabb69cdef21f6a82aa69

SHA512
f1e0da6807b84e8a4e3dcc624a1babcfd677669db2c428b28ac4134cf2d495c50485b3990c128fdb76fd0e1687c0d886d814779cfc436094db54a8713c5e2795

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
85KB

MD5
199b8b19a16abee7d66abcba944cf4c8

SHA1
638143e10f9e96b9d8f5934ccc380a43ba4e5998

SHA256
722bba4850343a5de2852b4adafcd381a06bfb5ce16251823f8600503b9ca7cd

SHA512
3b4e7b6436e6869c1df9344e705aa7a429eedf6bd53baaa0d6e12f39b53a9550d38071f78e58e4af3329abe3734b76f8413c93ace2aa260f57c42c127111b86e

Download Submit
memory/508-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/508-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/800-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/800-110-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1156-276-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1288-156-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1588-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1716-362-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1716-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1880-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2044-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2140-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-211-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2436-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2436-240-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2856-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2856-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3036-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3092-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3092-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3196-195-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3256-277-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3256-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3444-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-78-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3716-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3752-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3756-296-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3868-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3868-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3888-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4000-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4192-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4356-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4356-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-290-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4424-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4460-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-265-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4616-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4616-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4780-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4780-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4824-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4860-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4944-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4960-101-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4960-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4984-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5020-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5116-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads