e5430a88003413c7ff6816e8f26814cd858761af4afeb0b4bab13b3b74a096ec

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 23:55 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5430a88003413c7ff6816e8f26814cd858761af4afeb0b4bab13b3b74a096ec.exe
Size

669KB
MD5

d90d5cac1c1f652ae51141aa08090c57
SHA1

725f1885cb8b59ee31fb2dad1fffc8b66cfb6edd
SHA256

e5430a88003413c7ff6816e8f26814cd858761af4afeb0b4bab13b3b74a096ec
SHA512

b4515054acff43d15aae815270c5e9364fddbac06b2142495c0f71ee1133a565457475e1b16ea0d7ab9412b26c9b97f488781be2957452346654ff0cf33f3950
SSDEEP

12288:Y1r2IU7eVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:YobichMpQnqrdX72LbY6x46uR/qYglMi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dphifcoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpcpkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjfgphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpljkdig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Digkijmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coagla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe

Executes dropped EXE 64 IoCs

pid	Process
4348	Cpjmee32.exe
1964	Cefemliq.exe
1124	Chebighd.exe
1800	Cpljkdig.exe
400	Ccjfgphj.exe
4280	Cidncj32.exe
268	Coagla32.exe
1556	Digkijmd.exe
4504	Doccaall.exe
216	Diihojkb.exe
2620	Dpcpkc32.exe
1700	Dcalgo32.exe
5068	Dadlclim.exe
5000	Djlddi32.exe
3056	Dpemacql.exe
752	Dcdimopp.exe
4996	Debeijoc.exe
4224	Dhqaefng.exe
2284	Dphifcoi.exe
3404	Dokjbp32.exe
1988	Daifnk32.exe
3384	Djpnohej.exe
1620	Dlojkddn.exe
3736	Dpjflb32.exe
2516	Dchbhn32.exe
4888	Dakbckbe.exe
1560	Ehekqe32.exe
3680	Elagacbk.exe
4080	Epmcab32.exe
4640	Eckonn32.exe
2104	Efikji32.exe
2368	Elccfc32.exe
3196	Eoapbo32.exe
1592	Ebploj32.exe
2908	Eflhoigi.exe
4304	Ehjdldfl.exe
4312	Eqalmafo.exe
2544	Eodlho32.exe
1076	Ebbidj32.exe
4412	Efneehef.exe
116	Ehlaaddj.exe
1736	Eqciba32.exe
2548	Ecbenm32.exe
812	Ejlmkgkl.exe
4564	Emjjgbjp.exe
780	Fbgbpihg.exe
3048	Fmmfmbhn.exe
3064	Fokbim32.exe
2852	Fbioei32.exe
3608	Fjqgff32.exe
4044	Fmocba32.exe
3584	Fqkocpod.exe
2992	Fomonm32.exe
2976	Fbllkh32.exe
3264	Fjcclf32.exe
4684	Fmapha32.exe
440	Fopldmcl.exe
4240	Fbnhphbp.exe
3356	Fjepaecb.exe
636	Fihqmb32.exe
2880	Fqohnp32.exe
2856	Fobiilai.exe
4244	Fbqefhpm.exe
4000	Fjhmgeao.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Fomonm32.exe	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Neahbi32.dll	Fmmfmbhn.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Fbllkh32.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Cefemliq.exe	Cpjmee32.exe
File opened for modification	C:\Windows\SysWOW64\Dpcpkc32.exe	Diihojkb.exe
File created	C:\Windows\SysWOW64\Djlddi32.exe	Dadlclim.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Efikji32.exe	Eckonn32.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Hikfip32.exe
File created	C:\Windows\SysWOW64\Fdcfcpdf.dll	Eqciba32.exe
File opened for modification	C:\Windows\SysWOW64\Fmocba32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Onkhkpho.dll	Icgqggce.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Mbgaem32.dll	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Gedmgfjd.dll	Fbnhphbp.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Dhqaefng.exe	Debeijoc.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Bademghm.dll	Fmocba32.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Fihqmb32.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jaljgidl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6244	7088	WerFault.exe	284

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e5430a88003413c7ff6816e8f26814cd858761af4afeb0b4bab13b3b74a096ec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cidncj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cefemliq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Debeijoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eckonn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Digkijmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceakm32.dll"	Dadlclim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpjmee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knceql32.dll"	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkccjejn.dll"	Chebighd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagmapfi.dll"	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfljmdjc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 4348	5084	e5430a88003413c7ff6816e8f26814cd858761af4afeb0b4bab13b3b74a096ec.exe	86
PID 5084 wrote to memory of 4348	5084	e5430a88003413c7ff6816e8f26814cd858761af4afeb0b4bab13b3b74a096ec.exe	86
PID 5084 wrote to memory of 4348	5084	e5430a88003413c7ff6816e8f26814cd858761af4afeb0b4bab13b3b74a096ec.exe	86
PID 4348 wrote to memory of 1964	4348	Cpjmee32.exe	87
PID 4348 wrote to memory of 1964	4348	Cpjmee32.exe	87
PID 4348 wrote to memory of 1964	4348	Cpjmee32.exe	87
PID 1964 wrote to memory of 1124	1964	Cefemliq.exe	88
PID 1964 wrote to memory of 1124	1964	Cefemliq.exe	88
PID 1964 wrote to memory of 1124	1964	Cefemliq.exe	88
PID 1124 wrote to memory of 1800	1124	Chebighd.exe	89
PID 1124 wrote to memory of 1800	1124	Chebighd.exe	89
PID 1124 wrote to memory of 1800	1124	Chebighd.exe	89
PID 1800 wrote to memory of 400	1800	Cpljkdig.exe	90
PID 1800 wrote to memory of 400	1800	Cpljkdig.exe	90
PID 1800 wrote to memory of 400	1800	Cpljkdig.exe	90
PID 400 wrote to memory of 4280	400	Ccjfgphj.exe	91
PID 400 wrote to memory of 4280	400	Ccjfgphj.exe	91
PID 400 wrote to memory of 4280	400	Ccjfgphj.exe	91
PID 4280 wrote to memory of 268	4280	Cidncj32.exe	92
PID 4280 wrote to memory of 268	4280	Cidncj32.exe	92
PID 4280 wrote to memory of 268	4280	Cidncj32.exe	92
PID 268 wrote to memory of 1556	268	Coagla32.exe	93
PID 268 wrote to memory of 1556	268	Coagla32.exe	93
PID 268 wrote to memory of 1556	268	Coagla32.exe	93
PID 1556 wrote to memory of 4504	1556	Digkijmd.exe	94
PID 1556 wrote to memory of 4504	1556	Digkijmd.exe	94
PID 1556 wrote to memory of 4504	1556	Digkijmd.exe	94
PID 4504 wrote to memory of 216	4504	Doccaall.exe	95
PID 4504 wrote to memory of 216	4504	Doccaall.exe	95
PID 4504 wrote to memory of 216	4504	Doccaall.exe	95
PID 216 wrote to memory of 2620	216	Diihojkb.exe	96
PID 216 wrote to memory of 2620	216	Diihojkb.exe	96
PID 216 wrote to memory of 2620	216	Diihojkb.exe	96
PID 2620 wrote to memory of 1700	2620	Dpcpkc32.exe	97
PID 2620 wrote to memory of 1700	2620	Dpcpkc32.exe	97
PID 2620 wrote to memory of 1700	2620	Dpcpkc32.exe	97
PID 1700 wrote to memory of 5068	1700	Dcalgo32.exe	98
PID 1700 wrote to memory of 5068	1700	Dcalgo32.exe	98
PID 1700 wrote to memory of 5068	1700	Dcalgo32.exe	98
PID 5068 wrote to memory of 5000	5068	Dadlclim.exe	99
PID 5068 wrote to memory of 5000	5068	Dadlclim.exe	99
PID 5068 wrote to memory of 5000	5068	Dadlclim.exe	99
PID 5000 wrote to memory of 3056	5000	Djlddi32.exe	100
PID 5000 wrote to memory of 3056	5000	Djlddi32.exe	100
PID 5000 wrote to memory of 3056	5000	Djlddi32.exe	100
PID 3056 wrote to memory of 752	3056	Dpemacql.exe	101
PID 3056 wrote to memory of 752	3056	Dpemacql.exe	101
PID 3056 wrote to memory of 752	3056	Dpemacql.exe	101
PID 752 wrote to memory of 4996	752	Dcdimopp.exe	102
PID 752 wrote to memory of 4996	752	Dcdimopp.exe	102
PID 752 wrote to memory of 4996	752	Dcdimopp.exe	102
PID 4996 wrote to memory of 4224	4996	Debeijoc.exe	103
PID 4996 wrote to memory of 4224	4996	Debeijoc.exe	103
PID 4996 wrote to memory of 4224	4996	Debeijoc.exe	103
PID 4224 wrote to memory of 2284	4224	Dhqaefng.exe	104
PID 4224 wrote to memory of 2284	4224	Dhqaefng.exe	104
PID 4224 wrote to memory of 2284	4224	Dhqaefng.exe	104
PID 2284 wrote to memory of 3404	2284	Dphifcoi.exe	105
PID 2284 wrote to memory of 3404	2284	Dphifcoi.exe	105
PID 2284 wrote to memory of 3404	2284	Dphifcoi.exe	105
PID 3404 wrote to memory of 1988	3404	Dokjbp32.exe	106
PID 3404 wrote to memory of 1988	3404	Dokjbp32.exe	106
PID 3404 wrote to memory of 1988	3404	Dokjbp32.exe	106
PID 1988 wrote to memory of 3384	1988	Daifnk32.exe	107

C:\Users\Admin\AppData\Local\Temp\e5430a88003413c7ff6816e8f26814cd858761af4afeb0b4bab13b3b74a096ec.exe
"C:\Users\Admin\AppData\Local\Temp\e5430a88003413c7ff6816e8f26814cd858761af4afeb0b4bab13b3b74a096ec.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\SysWOW64\Cpjmee32.exe
  C:\Windows\system32\Cpjmee32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\SysWOW64\Cefemliq.exe
    C:\Windows\system32\Cefemliq.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\SysWOW64\Chebighd.exe
      C:\Windows\system32\Chebighd.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1124
    - - C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1800
      - C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        23⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        24⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        26⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        27⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        29⤵
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        30⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        33⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        34⤵
        Executes dropped EXE
        
        PID:3196
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        37⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        39⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        41⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1736
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        46⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        47⤵
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        49⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4044
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        54⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        57⤵
        Executes dropped EXE
        
        PID:4684
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:440
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        61⤵
        Executes dropped EXE
        
        PID:636
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2880
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        63⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        64⤵
        Executes dropped EXE
        
        PID:4244
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        66⤵
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        67⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        68⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        70⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        71⤵
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        72⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4008
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        74⤵
        Drops file in System32 directory
        
        PID:472
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3656
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        76⤵
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:868
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        79⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        80⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        82⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        84⤵
        
        PID:184
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        85⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        86⤵
        
        PID:220
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        87⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        89⤵
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2988
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        91⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:596
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        93⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        94⤵
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        96⤵
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        97⤵
        Drops file in System32 directory
        
        PID:3868
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1188
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        100⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        101⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        102⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        103⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        104⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        108⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        109⤵
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        114⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        117⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        119⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        122⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        124⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        125⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        126⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        127⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        128⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        131⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        132⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        134⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        135⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        136⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        137⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        138⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        139⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        141⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        143⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        144⤵
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        148⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        149⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        150⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        151⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        152⤵
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        154⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        156⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5240
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        158⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        159⤵
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        160⤵
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        161⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6264
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        163⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        165⤵
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        166⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        167⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        168⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        169⤵
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        171⤵
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        173⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6788
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        176⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6868
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6912
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        179⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        180⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        181⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        183⤵
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        184⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        185⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        186⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        187⤵
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        188⤵
        Drops file in System32 directory
        
        PID:6380
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        190⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        191⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        193⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6796
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        195⤵
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        196⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        197⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        198⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 412
        199⤵
        Program crash
        
        PID:6244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7088 -ip 7088
1⤵
PID:6192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:6628

Network

DNS

133.211.185.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.211.185.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

56.126.166.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

56.126.166.20.in-addr.arpa

IN PTR

Response
DNS

159.113.53.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

159.113.53.23.in-addr.arpa

IN PTR

Response

159.113.53.23.in-addr.arpa

IN PTR

a23-53-113-159deploystaticakamaitechnologiescom
DNS

17.14.97.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.14.97.104.in-addr.arpa

IN PTR

Response

17.14.97.104.in-addr.arpa

IN PTR

a104-97-14-17deploystaticakamaitechnologiescom
DNS

21.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.236.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

133.211.185.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

133.211.185.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

56.126.166.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

56.126.166.20.in-addr.arpa
8.8.8.8:53

159.113.53.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

159.113.53.23.in-addr.arpa
8.8.8.8:53

17.14.97.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

17.14.97.104.in-addr.arpa
8.8.8.8:53

21.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

21.236.111.52.in-addr.arpa
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
669KB

MD5
3db30d99d39e44394efc6007b5afdfe6

SHA1
16381f9a0f45771845bb3d9dda5b23dea7ba212c

SHA256
40ff921ef8b0d797fd937f8489d2f420e43512017a173579cb70a42893633448

SHA512
fb9b7ed12211e8b5e85e33ea27ddab672451d1273bd1220e25cba7f872d53d9a1d00dc98e4351ca2c4036cee0bdf98c79b82ab96820205150545a8feb2affadc

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
669KB

MD5
ed48aaa40bad4e8579922f26324485a5

SHA1
29cabe24513b5da940e8836c6936543e726ef395

SHA256
c6892b9e39817236565f4bb41d49446614c559905649f01c663e99e7219be1c4

SHA512
f2e4d8263975f8b7f70cf141a5d37c6cc10d1fef51d03f18e3b6e0bd9b0b1b7a2845075d5b0c89cde0befb59fe90fc1462316f80c9e1339a3a316c4794e32c8a

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
669KB

MD5
767107cda53cfb5223e75e495f7fdff1

SHA1
f1e07df7d74826d450965aa5b1ff98acfc5e0a4f

SHA256
2259c072bf2b6a6fcb9a9eebdfb5cec7be8d69dca41410f63341b2f8678a462d

SHA512
8a203f3787e8c6a35e63c9ad4c344ffd13d933c9cc21a92a4bb248d1464844a96f313746e09ce8419e99c417b98e7b6a7151d7c3f377dc124dc44c666f6acccf

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
669KB

MD5
4f345e34a4eac1afa88e90371418cf1d

SHA1
00d0ca6b68d6eb2ecaa9d74358d2828e6936a0cf

SHA256
0849667def21ede49380f375073007214d7d02389d3fbea8e181daadb745e015

SHA512
8ee02a2f34c9d938b33b1dedbf6617d84da563c5461c7d6017a4f43ba97e8981d9826ea3ef257f71a994e3cd74b3515cbb90812c47df51acdaa0cef375384de5

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
669KB

MD5
59d5e28921018a624c97bb3432bfbf66

SHA1
7fb0af8c74f5ce5a832a38a1136babbd2c2ba525

SHA256
6125d4dcb722f9550b3c17375008df5dc9794907f162276267e06ca28b2baaf9

SHA512
c3ef3e1363ba8cb70327b324e647938b3ac8c36fbb890793b3e8de08fdeda49d596fc5be6779dfc2d3cbbe5dd79372b60d2983d3ab9623c520aa70687f8c745e

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
669KB

MD5
35b3b5e3f0e7f710f35a1ffdedd269c5

SHA1
6f495b15f9bbb9de7c4bd3a9254330ef6085b1a7

SHA256
d5e0473b274b205b7722000697c65ec59477f0c53d271c8b586dde44dca22d6c

SHA512
f7ac3a7b3a3f8be8c9b778c58ae0460ea9b6061291ada30aa84baa24538f3cddb99d44e278e22be06d70f1d6813236cefb5aeba2669aa37bd8eedc749d610a7e

Download Submit
C:\Windows\SysWOW64\Cpljkdig.exe

Filesize
669KB

MD5
c19d2963306d35f2ba6fbc38f8e38514

SHA1
f1e5b424313d146dd5faf411cc8324a8f83c5a30

SHA256
70c3e2cff04aab22b60d9d5d30a540b966717bdb319116f4ecc6b7ee26364a71

SHA512
27ffd83ed61c891a62132cc7765afff283e66426f8da613ef8d6c08eae0634be044d1b2bcb3da03a0a0a5b0f16285483993d248a673de57d3d409721c0072ea6

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe

Filesize
669KB

MD5
f0bf19f65e2ccaceeedcae72fe6e8e8e

SHA1
a191c3a7dd2ba7b88fde318ff19c0e4353de5b4b

SHA256
d0799f169634937f8262f8e06303407ed66fdd42e7fa47dc3348ea2abb2d7b9b

SHA512
aec4486fd73fa8773294780df45875e5f0088259ec801031bb0dedbfab46f70140b91445a406f0b1796f56868b94f960439dd393bc35728f42540ecbb78b8339

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
669KB

MD5
457d050c525413e7260b9df6e0157bff

SHA1
f5100b7f1aafe20b52a402412fc96d2ed6f3998e

SHA256
9d4c642574eaaeb8fe27d46833e9363787b95dd0612083d5f29fecd89878a101

SHA512
4140f77e5ac43153ba34748a9398c0f0f9481616f4046c42c2917da3b000d49d5ee667fff22e277055a8a98af10982241c0531f247c1e700beb2da310d1ac80b

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
669KB

MD5
4fb13fd58805bfe6df18bf71b966c638

SHA1
9ec4cfc7c00a10f7311e6c4d350d6499324b7a22

SHA256
1d203735db71fa8af32440afb4bee30c18e3b3620f0126769746d1c8446f1b15

SHA512
2e3953235c5bcd00ade464efc3d8c8d7a77ae5bba584b77f35cf58e5e52098ff1a92045595c0d7dbd66179069c5e6dba81e858d6f504f0960b36e1f63fdb5c3b

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
669KB

MD5
f25d3f8d7995b9f47705e68873ab9032

SHA1
1e0df1ed23f0ce03ec7afe8960ab37a309265c1a

SHA256
580439651f1388a6b07a4e29e21700a9eaf3dfe6edb4921263fdf6ac707adabe

SHA512
1f786e99c13e877e5a747832452a2f8a71e28e71d921382a99f0716fb6aefbf233f7b8776db8bb50e91bfd00137bd52a2d329f1cd3f0e30279e1bb19436511da

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
669KB

MD5
11def84e91c1d75bfa27364f58b630a1

SHA1
0858df50922be6140e673e982d0c5ab5ba0c4ba5

SHA256
a2503e726c249855f759770e843e9d25d5275f5f3f104760508a56af8cc489d3

SHA512
3cd035b0b247ba730551d591c3f897d7acf6aac099f41434269707bd23c589479e2586c19e7bd7ee9f87fe97d5e07019ca67870d8bca22f2bc6cd2144af9045a

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
669KB

MD5
77d20b1b9b748c3582a2cc23c7ac6679

SHA1
c38500bcadb156c4774a3165ccb541da69afb526

SHA256
16ed5bf55fed734c0aacd23d86a771436fcff70064992324307d97dd4a2ab895

SHA512
945a1fbd7eb80d60b0a18da96d444d85fa9a8407869a1b750ca86c84b3c83d693ddc5db6cf5c2d776fa0b199128833c4aa06455632f65d9d3abdb09ab7d36fe6

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
669KB

MD5
2041455244d0ba8d98783d5d1d3e31d5

SHA1
66039e02f3a49d51250889e293bd856b57af0734

SHA256
9f35b122c6cb78b0829a4848c1e8e61d25b05def1a2364d8aea60cd5627cb421

SHA512
832f880e8d08a50c82e30050bb319ee865d4b62dde07a1d49d0ce1e939f481c1603fbcd5dc27dcd42371fcf86eb42ab620217e8bbeb9d50da4d177b21ee7ef6c

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
669KB

MD5
b1c63e6b5cb1c1be0a11d11fea3ad158

SHA1
4df89e91643a548d4f5fc4c92a5565178024bcb7

SHA256
ef867ea8d25a2550ccbfd2dada7c20160da94baa0d7f17b5161d32ae6d5b25e1

SHA512
a82769218ca32df4e58b652ca5826130d220d81e6e6cf9bf68c27f47fbbdbf5736dd058f6ca7bed9d6a734768cdcb243ce309e934bfe63fcf703bd4cde7b8d05

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
669KB

MD5
d1d8e6baedd93842d237283e91b53a2d

SHA1
aed022d3c458b14b1bdd9e6aa76794515fd281e1

SHA256
4dfc1f49a768f32f5db48f084a480cb6a822f727f3ce86693f8bcf60bbdf7331

SHA512
53c7df67f3fb7a99f0ad6d9444f2c1df3a4c65409e4706f131ce11a58641105ebb051d4d988e70a39060b6443a482ae6d479cec339777c6fd9f26ceafb02d7ca

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
669KB

MD5
649d24e21d7209ce3d5cc3410f360b4d

SHA1
6eca15446493669dac8ffca0b740ab47810e9006

SHA256
47d8d1ee293106bdd07ad6dd3793df86da7c7a23b62a54c4fb8cec8c12c19c34

SHA512
f0105cea2955edef440b203b0d7d5fa57936f639a9d763e02eb9ce55ed2971c32ac7572046c9154e7e6d8987cc488166d760d3a381cf43226b784b94ab4e375d

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
669KB

MD5
b03a60b439972c8920667f6b44bf00b1

SHA1
c3c28768c55d01b080284d5e8551ee502bab9761

SHA256
21bf393c982c3bb9003ed73ec167d39c6d9d405af371a872c49d1bf8d2d19064

SHA512
565810b13c1451a14f7f3071b732bb8fe5de747291a19422158a6e14c806316c5384996a925917e6558f4f229fabd703d56bf0d0ed0b13c44237b0743465ced6

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
669KB

MD5
d7bd925565bbe87aee6f0f2b505b2fa0

SHA1
8e8dbbe74b0de6019386b204ea9ec2e104812a21

SHA256
390cdfb647819047148ec050d8e368485fc8888a4f9bcfd8621c74357063559a

SHA512
75895ffb3ea370034303ec639761c7f5abb5729269649bb6be26b238299250751ed14b51b03861797b1197a9c954cc81535ead42dbf5576b93126c047f39bc99

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
669KB

MD5
a481016c98f1800c146a73e07497d850

SHA1
51e9deaf61506f0742e5757d7688fbc3c685073c

SHA256
b76d9b3c551386c1f6de5bd26268b9c35ee2a62daefd9780b8cfad20fdac6024

SHA512
4a7fe1309bcae59426567c671718f5e2de7ad9fe92fa716ed366e9da5589b34029d58b4e3e7ddc22ddc2aae1b48244c107564c366ad56374bc7e717f94432675

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
669KB

MD5
cc8fba682176aedd9dc9e84fea0beecc

SHA1
bec9fc346e02af538780e3e3890aa61b49dd2890

SHA256
357d3ebb8719a042a5b4611c37b9a5c621c44c7cd86dc9a7066801bf2ae5010c

SHA512
51c3bd57972a7a84e73c6a78593ad61fd7d18243a216723ea096eb9ec54c35dbc48aa38c5c79b3e993b7ca1c2f2405562176bed8d42ef81ad78803835f40e464

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
669KB

MD5
8da3be740aacf4f3af0a4fa1fd185336

SHA1
b8144e6cc567a4e1812729f8a468bcb32bc65323

SHA256
3d429c6381f5431220d265a6742aa53d0e4acc3bc111af35eb85215cfa1f8f64

SHA512
dcd16deb4ab3cb541d3ce124ccb97dd5cf0faae0a798f76e6b7f476fe81428a5b692918f5c3199f48475aaa8da68bac8512bf7ba8f9e07ea0033d4be977fe6ea

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
669KB

MD5
13154bacce7f3d3d5059a1894ea3e09b

SHA1
c017a2616c98a7161da6b3f91d383991fc3fc2ce

SHA256
ddadc1d1fbc8e39f91d54f117c67e569d70fa966ce1f5c2103d7ab1ebf59a73c

SHA512
90000fa78f54932ea2da9cec46144372e6121166c0a521b9b90ef2ebdcc0f06d18df31939a9b90e4e38b9b925b9495fa2d6fea77b42e79f7d1d29a05d8a4a894

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
669KB

MD5
f6f8f25c0af16a4b723a4f4bb44a5f48

SHA1
7fb1d7d08cd97439002afffa3260caabb3bc8b44

SHA256
b21323cc23672d573cb31f4da7b8763665ada04ed8a60a423d9fa7506704e969

SHA512
d9813c8f5cde6095da923e5a52f3b7d589928da684e3a464df50182269a3a298e794d8a108cb4cfc7b8fb89f1171945bfdbdcba282867258c4cddc9d227ea0f5

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
669KB

MD5
c131506fdaccc8e377713f4b89e525af

SHA1
c2d67128a5aee77251e3c89ff8214ac5b8dce430

SHA256
35f3fd6523c6ad8f86cad76bfab9c6b99cd1e5d6b8978b54613accfb0e2227fc

SHA512
e491862c2aab7d151c0cc44d2bb9584c2f893751214e0bd3dd006f85c5a9d3b7f7e18f52ffe0198b3b26571fee571be803ba66de3c2a966a0d5407df85fd72c1

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
669KB

MD5
3990678c4bf5323e629e2b4bc0819740

SHA1
b55c26fb7536ff9f80d64632de12f92754b0cfb1

SHA256
f0fd425a12688bade18fa61cd39521eb8931d6ae60321854ba62a4959cb9b32d

SHA512
54b3fd0360cb20e5499ebc539e1786337c33443e4e3a18975d138953447aa591dc9fccc78532b2ae63a12308a7f1886f5f1aaa712029107b252975073067d4c7

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
669KB

MD5
ac38e32d4e214fbf9d7a9dd127db3781

SHA1
97dd4fde5a9d9d8bc1592d7847cbfc249afdc732

SHA256
f18667d9e8c60ad2702b59f370b95d513cd05ad48195424bef908df93b9d868d

SHA512
25ccb58eca65062b32ca4d86679bcb5e8d675b05411b4f4abfc7ffb1fd1ce2f62d2636e8cba654f8334e2545e42a8f64ed2374dbc85b0ce014fb694e0b07a6d5

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
669KB

MD5
0d7c54297c78e77fc071fac04779bdb5

SHA1
46f040916f388becf0707b8b43fdb043683d0073

SHA256
ba233d2454c2c9741b11fb0003925b57c66ad7aa7bbbb26ac3a9494f843076b8

SHA512
b4d07193eae9cff12b967706273954d018e074a5a636040a021f33bf89781ec4e6d7627763369e48f70ac5218e286b410cc2df6b2c7c3f19396c38883bbe0a53

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
669KB

MD5
a2ebf73056a63fd83d87363c2a45411d

SHA1
060081c3dc70add071455f4022ddc74cf4ed6bbf

SHA256
d598833894fbebfa2d7e27a54551201423a0c332fee945edff3637c19f313cb3

SHA512
e384006bfd877175b2ea201ce29c4595ff27c84c01b9b1b4b84b97059b10a354a7abba131f306839beefea66d95cd9845478d760ece74a615e0e023636551849

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
669KB

MD5
d10b9a022cdba8dda47d1bd9e9e11562

SHA1
8e5e8e5a3c11f8bec552153df082f9d4208e6392

SHA256
048d65cfa6340d881cf720de8c5103f0d9f0cb8f8d8dc272a90c01cfa7f67d9c

SHA512
8a8f09cbd10d04ac8c53ff26a1d63c28d0a4a6b295a5fd39ed37f0db3f249543097f15bb0140ac4fbe35878042f06a0a6a8ebb1d3df8ac9a6d4a9601ff6fea4f

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
669KB

MD5
25d734c204f185c80302370cb68f96bb

SHA1
4f1d67f22844e1ebd99f7ab40848806de127d44a

SHA256
47b52800e707c6f2f6d602a5f7a8f1639953f4f3e03ecde70e6b282a98645731

SHA512
fc145f94893d59db4478b65e41c77b21f479e1adacf10c69bff7ef1a5f289c1716610674619cfad63237a0af69eb8f3a91df78a4feedc8814bdb672d257ef195

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
669KB

MD5
06aa17f9bede1b9fa348494fe50515cc

SHA1
8bf73400b2fe740b7382326415b24a2ff8168a6e

SHA256
ed6f95924ea0507ee13af2d8d469ccf9ac2b535b998be44bccf8dce7d9d1d513

SHA512
bfaaea016c9fe9b6da080516428b461f1bbfb2b6372b35bec378f117409c5c02ac0c2eead642a774053be824b67e83c3a636c86e6fe2ba49e201e8f8f3e9f9a5

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
669KB

MD5
9fd6d7fc93cc1cf7935bb58f64f6516b

SHA1
554b8925c97548633604a33712e0bda59b2e2738

SHA256
5ce73fe867517984fc728d42e468daefd6e78b84b473709c46d93de2ec3c52a9

SHA512
bc59837bea7ac017d7547a5824a030d1bcae9459f9af1834684330562a03d22cac64ba43f09828d27bdae52bfb1828b44d6be6de402287628ec54dbc8b9634d2

Download Submit
C:\Windows\SysWOW64\Jingckla.dll

Filesize
7KB

MD5
1fe299b85a9d08da732503b8a68dd1a2

SHA1
d40c8451b3a1fb6197da86bcc14eb11f1a24ba68

SHA256
2345a33b29cac30678fa37cd28b96dab1bde1f2b01ee6d6f3a3c66304102e3f2

SHA512
2337ed251e1f7c6d2a902763d0a69c9dde6ed88345699a21750c6a68fb3802503f5c933b00730afcab91002afcf0adc9e00a9d465b7d2c08ae4b0e18aac05790

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
669KB

MD5
03abc4342161c8e7b7553f2d774761f7

SHA1
38672db0e33f10e7f88af6acfe15d8cecb258ecb

SHA256
b814bb02cb4437b47596e99c58571c0f1ea53ca30a6f9829b403754bebd690f4

SHA512
8b85db12614409b85818173d538d2f6c3260ecebea46f59ad7a703c1f69d54053ca350732fbd279ca55034c5ed79d3341d3e4b591602b29ca2659266f64cae69

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
669KB

MD5
30dcadfd906a32aa4105c49af44bb1d4

SHA1
8647c743c415c1022f7abf214956d92edb396e48

SHA256
f0c8e1824d85e011bb44362077936dbadc51ca28e917aefc292edb9149002b41

SHA512
98caf9a6e984cdb5779e4e59f2f71d352ce94be9ff06af6d0e4cffea7fe7ac9ad0d721c596b7fa8c9ed7c0f70dd4ceb4cab3d9f736e27a8525a3401781299334

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
669KB

MD5
158c94ad16c4dae009c91c8b906d23c7

SHA1
267b567cc85b1ea6fb655f2fe0b1bc1deae94692

SHA256
dad661e77d4157151c36d811d578211b5e3d624498e7eeda209ebc3943877c6f

SHA512
35c62daa47a89059e5fb1aa26fc02700f5c5748cf6abff9c23780638bec7276e30ad65c62c4d1b22e0fdabd476d6f025147abcf95db9a0ee3c6d1060de7bf5e8

Download Submit
memory/116-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/268-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/400-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/440-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/636-567-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/780-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1124-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1556-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-474-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-519-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1800-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1988-458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2516-471-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2544-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-574-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-552-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-535-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3196-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3264-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3356-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-457-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3608-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3680-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3892-587-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4000-581-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4044-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-480-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4224-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-560-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4244-580-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4304-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4348-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4412-512-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4564-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4640-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4684-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5000-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5084-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5128-1313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5192-1304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5200-1312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5240-1294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5320-1297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5420-1310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5444-1296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5504-1309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5572-1302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5620-1308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5704-1298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5716-1295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5824-1303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5924-1316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6044-1292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6076-1314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6264-1289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6428-1285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6468-1284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6508-1283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6516-1261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6576-1260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6588-1281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6708-1278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6732-1258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6788-1276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6868-1274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6912-1273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7020-1254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/7032-1270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.