9a91c6033b9ae485a6fbb8399f7e181f8eb1afebd5edf9070b2f795ae473baa2

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 21:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0187982ce93ae2c1a7ce9d5ff0b1415a.exe
Size

80KB
MD5

0187982ce93ae2c1a7ce9d5ff0b1415a
SHA1

e735af881abda66d07911568137631d10b4cff6a
SHA256

9a91c6033b9ae485a6fbb8399f7e181f8eb1afebd5edf9070b2f795ae473baa2
SHA512

df3922954dbd04d4c70a5470990ea8df08e0faa21922e6c157e6ae9ffd224ba7bc62c1a7c7d1766ebffa2adf24747ec943f24ee046ecd023e25d2f7cb004d1d1
SSDEEP

1536:BZACgR0a1qF8KPGU+7C79XGx+eG6eS2qma+yWKPjn7zh5p2Ltnpwfi+TjRC/6i:BZAtif6nXC79XO+eG6eS2qma+yWKPjnQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqciba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Commqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clqnjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doccaall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clqnjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coagla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpemacql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Capchmmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fobiilai.exe

Executes dropped EXE 64 IoCs

pid	Process
1852	Cipehkcl.exe
2092	Clnadfbp.exe
1612	Commqb32.exe
1604	Cefemliq.exe
2956	Clqnjf32.exe
4204	Camfbm32.exe
4036	Cidncj32.exe
1144	Clckpf32.exe
3028	Coagla32.exe
3712	Capchmmb.exe
1160	Dhjkdg32.exe
2920	Doccaall.exe
2924	Diihojkb.exe
1480	Dpcpkc32.exe
440	Dcalgo32.exe
4224	Dhnepfpj.exe
4380	Dpemacql.exe
3776	Dcdimopp.exe
1908	Debeijoc.exe
3964	Dphifcoi.exe
4840	Dcfebonm.exe
2568	Djpnohej.exe
3896	Dpjflb32.exe
1544	Dchbhn32.exe
324	Ejbkehcg.exe
4276	Eoocmoao.exe
4264	Eckonn32.exe
536	Efikji32.exe
4764	Ehhgfdho.exe
2008	Eoapbo32.exe
3244	Ebploj32.exe
5072	Ejgdpg32.exe
1288	Eleplc32.exe
3828	Eodlho32.exe
2508	Ebbidj32.exe
3168	Ejjqeg32.exe
1892	Eqciba32.exe
5088	Ecbenm32.exe
1468	Ejlmkgkl.exe
2160	Ehonfc32.exe
1812	Eoifcnid.exe
2084	Ecdbdl32.exe
748	Ffbnph32.exe
1316	Fhajlc32.exe
632	Fqhbmqqg.exe
2320	Fcgoilpj.exe
4156	Ffekegon.exe
3668	Fqkocpod.exe
4012	Fomonm32.exe
4744	Fifdgblo.exe
2404	Fqmlhpla.exe
4248	Fbnhphbp.exe
1808	Fjepaecb.exe
516	Fihqmb32.exe
4820	Fobiilai.exe
3388	Fbqefhpm.exe
656	Fjhmgeao.exe
4708	Fodeolof.exe
3664	Gfnnlffc.exe
1684	Gimjhafg.exe
4972	Gqdbiofi.exe
3176	Gbenqg32.exe
4440	Gmkbnp32.exe
1640	Goiojk32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Hfdcbdnc.dll	Ebploj32.exe
File created	C:\Windows\SysWOW64\Iblilb32.dll	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Eleplc32.exe	Ejgdpg32.exe
File opened for modification	C:\Windows\SysWOW64\Fhajlc32.exe	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Fcgoilpj.exe	Fqhbmqqg.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Clnadfbp.exe	Cipehkcl.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ehonfc32.exe	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Gqikdn32.exe	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Debeijoc.exe	Dcdimopp.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kipabjil.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ecbenm32.exe	Eqciba32.exe
File created	C:\Windows\SysWOW64\Dofqcl32.dll	Fqhbmqqg.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Dpemacql.exe	Dhnepfpj.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ecbenm32.exe	Eqciba32.exe
File created	C:\Windows\SysWOW64\Eagncfoj.dll	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Fgpjnm32.dll	Dpcpkc32.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gbldaffp.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Diihojkb.exe	Doccaall.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fifdgblo.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7264	6868	WerFault.exe	298

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcfebonm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcdimopp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clqnjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Diihojkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clckpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0187982ce93ae2c1a7ce9d5ff0b1415a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncjcpe32.dll"	Camfbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpmkibm.dll"	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Commqb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1852	1444	0187982ce93ae2c1a7ce9d5ff0b1415a.exe	86
PID 1444 wrote to memory of 1852	1444	0187982ce93ae2c1a7ce9d5ff0b1415a.exe	86
PID 1444 wrote to memory of 1852	1444	0187982ce93ae2c1a7ce9d5ff0b1415a.exe	86
PID 1852 wrote to memory of 2092	1852	Cipehkcl.exe	87
PID 1852 wrote to memory of 2092	1852	Cipehkcl.exe	87
PID 1852 wrote to memory of 2092	1852	Cipehkcl.exe	87
PID 2092 wrote to memory of 1612	2092	Clnadfbp.exe	88
PID 2092 wrote to memory of 1612	2092	Clnadfbp.exe	88
PID 2092 wrote to memory of 1612	2092	Clnadfbp.exe	88
PID 1612 wrote to memory of 1604	1612	Commqb32.exe	89
PID 1612 wrote to memory of 1604	1612	Commqb32.exe	89
PID 1612 wrote to memory of 1604	1612	Commqb32.exe	89
PID 1604 wrote to memory of 2956	1604	Cefemliq.exe	90
PID 1604 wrote to memory of 2956	1604	Cefemliq.exe	90
PID 1604 wrote to memory of 2956	1604	Cefemliq.exe	90
PID 2956 wrote to memory of 4204	2956	Clqnjf32.exe	92
PID 2956 wrote to memory of 4204	2956	Clqnjf32.exe	92
PID 2956 wrote to memory of 4204	2956	Clqnjf32.exe	92
PID 4204 wrote to memory of 4036	4204	Camfbm32.exe	93
PID 4204 wrote to memory of 4036	4204	Camfbm32.exe	93
PID 4204 wrote to memory of 4036	4204	Camfbm32.exe	93
PID 4036 wrote to memory of 1144	4036	Cidncj32.exe	94
PID 4036 wrote to memory of 1144	4036	Cidncj32.exe	94
PID 4036 wrote to memory of 1144	4036	Cidncj32.exe	94
PID 1144 wrote to memory of 3028	1144	Clckpf32.exe	95
PID 1144 wrote to memory of 3028	1144	Clckpf32.exe	95
PID 1144 wrote to memory of 3028	1144	Clckpf32.exe	95
PID 3028 wrote to memory of 3712	3028	Coagla32.exe	96
PID 3028 wrote to memory of 3712	3028	Coagla32.exe	96
PID 3028 wrote to memory of 3712	3028	Coagla32.exe	96
PID 3712 wrote to memory of 1160	3712	Capchmmb.exe	97
PID 3712 wrote to memory of 1160	3712	Capchmmb.exe	97
PID 3712 wrote to memory of 1160	3712	Capchmmb.exe	97
PID 1160 wrote to memory of 2920	1160	Dhjkdg32.exe	99
PID 1160 wrote to memory of 2920	1160	Dhjkdg32.exe	99
PID 1160 wrote to memory of 2920	1160	Dhjkdg32.exe	99
PID 2920 wrote to memory of 2924	2920	Doccaall.exe	100
PID 2920 wrote to memory of 2924	2920	Doccaall.exe	100
PID 2920 wrote to memory of 2924	2920	Doccaall.exe	100
PID 2924 wrote to memory of 1480	2924	Diihojkb.exe	101
PID 2924 wrote to memory of 1480	2924	Diihojkb.exe	101
PID 2924 wrote to memory of 1480	2924	Diihojkb.exe	101
PID 1480 wrote to memory of 440	1480	Dpcpkc32.exe	102
PID 1480 wrote to memory of 440	1480	Dpcpkc32.exe	102
PID 1480 wrote to memory of 440	1480	Dpcpkc32.exe	102
PID 440 wrote to memory of 4224	440	Dcalgo32.exe	103
PID 440 wrote to memory of 4224	440	Dcalgo32.exe	103
PID 440 wrote to memory of 4224	440	Dcalgo32.exe	103
PID 4224 wrote to memory of 4380	4224	Dhnepfpj.exe	105
PID 4224 wrote to memory of 4380	4224	Dhnepfpj.exe	105
PID 4224 wrote to memory of 4380	4224	Dhnepfpj.exe	105
PID 4380 wrote to memory of 3776	4380	Dpemacql.exe	106
PID 4380 wrote to memory of 3776	4380	Dpemacql.exe	106
PID 4380 wrote to memory of 3776	4380	Dpemacql.exe	106
PID 3776 wrote to memory of 1908	3776	Dcdimopp.exe	107
PID 3776 wrote to memory of 1908	3776	Dcdimopp.exe	107
PID 3776 wrote to memory of 1908	3776	Dcdimopp.exe	107
PID 1908 wrote to memory of 3964	1908	Debeijoc.exe	108
PID 1908 wrote to memory of 3964	1908	Debeijoc.exe	108
PID 1908 wrote to memory of 3964	1908	Debeijoc.exe	108
PID 3964 wrote to memory of 4840	3964	Dphifcoi.exe	109
PID 3964 wrote to memory of 4840	3964	Dphifcoi.exe	109
PID 3964 wrote to memory of 4840	3964	Dphifcoi.exe	109
PID 4840 wrote to memory of 2568	4840	Dcfebonm.exe	110

C:\Users\Admin\AppData\Local\Temp\0187982ce93ae2c1a7ce9d5ff0b1415a.exe
"C:\Users\Admin\AppData\Local\Temp\0187982ce93ae2c1a7ce9d5ff0b1415a.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\Cipehkcl.exe
  C:\Windows\system32\Cipehkcl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\SysWOW64\Clnadfbp.exe
    C:\Windows\system32\Clnadfbp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\SysWOW64\Commqb32.exe
      C:\Windows\system32\Commqb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        25⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        26⤵
        Executes dropped EXE
        
        PID:324
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        27⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        28⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        29⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        31⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        34⤵
        Executes dropped EXE
        
        PID:1288
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        35⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        37⤵
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        39⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        41⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        42⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        43⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        47⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        53⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:516
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        58⤵
        Executes dropped EXE
        
        PID:656
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        64⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        66⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        69⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        70⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        71⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1376
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        74⤵
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        75⤵
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        76⤵
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        78⤵
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        80⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        81⤵
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        83⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4664
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        85⤵
        Drops file in System32 directory
        
        PID:1848
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        86⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        88⤵
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3144
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        90⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        91⤵
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5124
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5164
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        95⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        97⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        98⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        99⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        101⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        103⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        104⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        105⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        106⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        108⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        109⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        111⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        113⤵
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        114⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6076
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        116⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        117⤵
        
        PID:116
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5384
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        122⤵
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        125⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        126⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        127⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        129⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        131⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        132⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        136⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        137⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        138⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        139⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        142⤵
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        144⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        147⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        148⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        149⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        150⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        151⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        153⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        154⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        156⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        157⤵
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        158⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        159⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        160⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6528
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        164⤵
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6616
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        166⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        167⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6780
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        170⤵
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        172⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        173⤵
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        175⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        176⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        177⤵
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        178⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        179⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        180⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        181⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        182⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        183⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        184⤵
        Drops file in System32 directory
        
        PID:6524
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        185⤵
        Modifies registry class
        
        PID:6608
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6692
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        187⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        188⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        189⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        190⤵
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        191⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        192⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        193⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        194⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6520
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6668
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6976
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6480
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        201⤵
        Modifies registry class
        
        PID:6472
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        202⤵
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        203⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        204⤵
        Drops file in System32 directory
        
        PID:6776
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2452
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        206⤵
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        207⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6868 -s 404
        208⤵
        Program crash
        
        PID:7264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6868 -ip 6868
1⤵
PID:7232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Camfbm32.exe

Filesize
80KB

MD5
fdd46422cc0ab89b70b6e988a9c4ce12

SHA1
afcb902d60c70181dbd6b264105d60e669f32256

SHA256
9c282ba5da1920d7cfb06614e79fb9f118520060f74c536c0db9789d264ec646

SHA512
7738e9fe398cf74c32697ff3f0bf6a2008b83bbccfd6e4d025f19db57660ca1437df298e29ce9173a41bb6fa01754bbe73be95b2983395aec4d63a9ff351f854

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
80KB

MD5
788e4af7923c07e8f01fd7ac28284a1b

SHA1
d64c1d5378b71c14ce18e83a571eb29965cbace0

SHA256
a08a03826fac57e511893c4feafb0d5d90b960c4dfd4d1556821eec1f157267d

SHA512
c123991d356a2922cdfc030738942d9c7c596efdb03869d3ace46892486aae66ae61e0158dad57d8149599fc07ba656a26d8931311f4f1f002d2daf371406027

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
80KB

MD5
87005acf21b819f32ff785104b8c97c5

SHA1
0e12fe84223cba6fcb03872b30844e4b2704fc3d

SHA256
e2193a67c79ca49e17e14c116be6308a2a16118ec1c6929ed0b12cac0f7a27e2

SHA512
2fc43d5a333cffede56382b3fec7d7d6171673ef3c01a5926e11f69c5ba1c9c9503475d10b55ac5cede7f0fed09e3324857f4959d170b659fe1888b9b473817c

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
80KB

MD5
51299a6ad57812012574206fb505c97c

SHA1
08dc9f8acb554cc02fbfab8b62563be43ecb280c

SHA256
ec85b8181ab4780854cec868047c67f8943850b308a1d0992f335f40680537cc

SHA512
be7eada64c273344338f274e5be4c6e89a0dfc4caa0a424cb2c972b000fb0eea2d19253c718ac77435a68c215036a2630574a7512fb43dc9ea2863ac3af68161

Download Submit
C:\Windows\SysWOW64\Cipehkcl.exe

Filesize
80KB

MD5
45e5b55a23cb5b085a7e2e3690ae172a

SHA1
c8a5c8dbaacf30bf8af0f322beba05d3eaadead8

SHA256
5d104b9c8f3f0fc238a8e3f77be01971fbb06cc766a90cf95ee3bcce10b09f5f

SHA512
2f4c5914eff8b0cfa1f2e352de40609354bcefb064e065304c989ca956995183198086ff36b85e816f4d98df11d6c740facfb8ed8ce954c32effb62d220b037e

Download Submit
C:\Windows\SysWOW64\Clckpf32.exe

Filesize
80KB

MD5
29ea4738ef696737eada2c0192227692

SHA1
567e4f7d40577c98f8a5b1a50bace5cdb171410a

SHA256
e29d1e221006a79375ba1f20ab274e6041161bbfae950e14f4507b4d501c971d

SHA512
a3df793d6b7988c9ca4ceace9023aa40ddb86e02dbd4264e07078c29f916482c84bf70816e9e42d6f089a07777bd9bec999ee7494a426aca0c648550b5f823dd

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
80KB

MD5
d7172dc162fb92a6a30ec31d8ee36de6

SHA1
2277a6343d473db07949e1ac85e0952510e5a169

SHA256
a319e39c7bfb827f23a6621371765becd0a74bc3ef434489847a9480bce154d6

SHA512
bcd16a1a2873174a44bd5f36c44bc55cddb6c38db255867f7fdf2ad8fe9625a3e9df5af0372330327d16e3f24fa1ee9a3e9f9945bde03d9473373d6c96311b30

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
80KB

MD5
f9e541d343112af0fa2bf4b596c0f3e3

SHA1
c9c0542d6e9ccf3dfa056a203ee4efeb8926ee87

SHA256
57f46e64212ff3d5edf9c1bb4f61bc02d934bd16b3dd791ce78bc0dd3f2e01b8

SHA512
10ac35572e8c214e24f27f84e6fe89ede13f65db6d9582f54df28b4aa35e153e66663f14f632d43754685bbbce483468d3af81bc8e4e25d3b4f620b4f286c7dd

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
80KB

MD5
1cc74ccb2c956e637c979d6f966a9022

SHA1
8851151703195076e41802ae52764ad35b436d98

SHA256
64b97adebac1736e3796406e24b56eeb52bd391deea09bf1cadcbb127f38a327

SHA512
e22fc9246d6bcda643b8a85ee83a6d79b50137acc443f675e34bdffdc65ebb02fe3856ebf39dc54d837c77cb098f92cff162f2ba2ae708b554a4b6aff6d32441

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
80KB

MD5
344740fce7b2ad53c0371b8ddb899ebf

SHA1
ec79473f80cf2ead59229c8ee84dfd3f9ad7be81

SHA256
6aad5bef8bcd9813399e6a51dad49a7ad51180492bae0275739312826348c3f3

SHA512
597ee5cf3d6425ea0e859bfc82bf2054f4358c7df54c2effd6701711e2194fd81e6b9c31defd53b201dd744661c00c986bd124513a5321b37938996c14826cdb

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
80KB

MD5
720608e7f733127c5ab6a78a1ededdfb

SHA1
2dd0356e961fdc71a0b1a34a981ca7a54cedb181

SHA256
1b058141c2213663927004e80730da718542e219110fec7467928d2ee8ff7477

SHA512
1e08b5c9ac4f211f8d05c2b8a582b4f8be7491d16712e2263003a075b0cb950e1c87ced09286ff66eb4e9046f91b00b289ddd4d223bf61f11c4e93338aec2ccd

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
80KB

MD5
d3b8a4ef0161c3ee7dd51cc260d45618

SHA1
92a565b2d1d4f0f522d29da89b5b1e6a14099fde

SHA256
2a03d92cc578c07448dd84f36efef36f563f6152b33cfa005dfb3f69faf641b5

SHA512
7d954a12483913922d04dc0657114323b53cc4ab103d7c255e5aafa82a8427e328f6109ff739e169a58f8e398b25cac56d0d14405586ee99fbca3da78fc0165b

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
80KB

MD5
eaadf99ae7dc9501a56f86aad7b0e232

SHA1
1a02d68168413b5c980741d0ae39bfa4377b4263

SHA256
d8394c9359bbe8585de51739ec23a285bcd602a564fc6068d4d085bb2296675d

SHA512
07bfcc4d795ba99311755b8c183a362801011c4b5b496dde83a8777df6ef5edb7ebd97cfba83f88d4238fa4036170e698f19575a8e2711a710ab9ee123aac227

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
80KB

MD5
122dcc4e06bfe0fb7be8a0d12d1daaf1

SHA1
d2233e914e44b24cf81bcc2fe5fd544a44a857d3

SHA256
df1e86ee9a199bdcdf8ac005fba2e210669a3e4922987515539d59d620c3f6d5

SHA512
b2cbd5aadc4173aa2fbdaf73b25ca590349a8645d71fd40a40b75928ac494e4756a18b9be0203dfc8670b9bf4b30d6dc021392049b2eead9fcaecacaf6280fd3

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
80KB

MD5
c9dba6f7503b94845778fc33a8ddd7ad

SHA1
26b82ba1261ff21265900585cf02df0275560ba2

SHA256
9545247e83f2ae59e2382a83f28e25ec0a22825332aa4230bc4ef68acb5e2960

SHA512
487ba846c7bce7c7a98b0083f406275ef1897eca8dea10d6935205871145d70f9a99a8a88e60a746118fcb098d7738f770084599ca73bdbbe8e76eb5f37c1f8e

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
80KB

MD5
cc64028e0cac451269b44c81ffef6ace

SHA1
4c91e7e24f39815a1dfe55e6129530387c36b577

SHA256
92c64e8e6ed09b754c670794ffd28770a3cfbb175f2d96f91d924380cbf13b78

SHA512
89e29f19fb977d42a566c5bc6394390c0132a95a502845f4ee91561ebaf8cbb6a08ee6b58f38fdcc7ca179a57f3ae7e18b45ac27a12fbe59d8e39e4682be2f39

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
80KB

MD5
a6ece0f62b70ef7d31a484f9b659cf96

SHA1
cbc2188ee3964f81b2840d4b0f8d473fd7c2a43b

SHA256
8e3eda4603dc2cce091a9b5e83ff58f3c9f5cc65695137cad64dfc56915f3a89

SHA512
6519ea919213ba39d770758012b2c08a960d81cf3caa2a39b9a27d5e7548ec18809fc9911a55a3cc8e90631b11e54f498cb3ecd3b24a6885b9c8d3e0ac89a676

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
80KB

MD5
f042fac46c9b3969751d9261f1958d25

SHA1
ada08b19cac51652a5bce2a7026e771bc59439e3

SHA256
3e7059fa7994c9f2d3802b25d839e62f096b5cc6c4061935494a9dfea8c2d721

SHA512
63ab70f00dc518870622349899cd69f99b5c2f97c9a245862a765ac17ef0459612570f3962e6aff667588e011d313d2ac4f613f41d5aadf89463a784e40b0144

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
80KB

MD5
d79ac768304309918c928aca18f474ea

SHA1
5e9f0b54962394e59e49a7780cb50bb86045f3e3

SHA256
ecb62f2cc9aa767a6c45b845d16594f09583e8330c1e27cf431fa11d4905b320

SHA512
e7b01aba97495a9119b4a560dca2a8f3abe9870c330a00db95829c086d5dbc459681c96e35558946b0e00bf2454bab893232b234f8ae41178f2e7ed9fb406152

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
80KB

MD5
aa44889df09ea68ccdc493af07671fff

SHA1
8343c0807075be61d798ec6f79d0a92ad404b11b

SHA256
d9130b1b2b14ecf88c67cf7e79f56cbff7782b10614f4de6c646ea92a87618c5

SHA512
bd900409a1e791605fa3bc88391a47757852b74ba458666e03f548f69bbef11e017912a767e6045997056350fa20931556cdf1e3887fd2fc7257c771b0cae722

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
80KB

MD5
4825c8a7abf109d5dc1c08ab50f692a1

SHA1
6dd0e742bd8c4c0e0a2165a213a97d002a235f55

SHA256
0988cf01b2b76f4bbbbbba0efe5c0c4e576a883e5854dac20aedb4b0daa40bcf

SHA512
d2886d4c3f7f5afbfc927be1b851a7989864707d190e724a241a329dded35e350e7dc1b0483b0acb59ec1e81c94c402769aeca97f1a938b8b8c761c8da9f7492

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
80KB

MD5
b757feaf0d862dc71f0522a4f24ee715

SHA1
3c8a839f38c93df98199f2d088f6430205b2a7ce

SHA256
2ed1a447e6119bfb6e5bc5d17fbddfa786c93beddf88792b19312e7bf9082278

SHA512
6deb3974db65764c3e81545ad49927f42e6bf91af5fa094e10633b977acd3018b39cdff0856cbfbe5cfed856f1b63e78735dab85e5b151362f261f6d3ad175d4

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
80KB

MD5
c022b375ba262d1db48d295b91fb81ad

SHA1
ce168a745ee13b1308748e6d13396b2e2ee60373

SHA256
25c7d7bd4551cbb06e5cc306132da35fd933933ed155eeeaf76ec13abb8bdd7e

SHA512
b6b18307c1ea36341fa4c6d773382df3605f0d5f6d31963d6012644cae97e7d36431703e94119b07fb270ba949c049642164c345d38acf2eb192f07ebe0ec2ff

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
80KB

MD5
cf3643f1bbd3fe7e52e30c904b8ed242

SHA1
4e0f2078980219515ab5c4c25cd56007c5f09fd9

SHA256
1e947183e7f5db2d391c9e7647d2dd34caec8e0bc8e3eb1fc1ac2edd9c01d84a

SHA512
d47171c7e61bf1cf82b4cd3e1cae51598521f2f0f2c901708decee09381bcca9c3c7612806215a6819bc942236ee7b0a69e2bc6975db5a9191038bcb9772ee02

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
80KB

MD5
a6f6c6b0041fb1cc26237d86314c4df5

SHA1
8e9a439be9d11585367dadbbaccf1b90f810e42e

SHA256
bf1275a20d3d551728e0c3a7311dc981b303e62f822593a51c165f6339032c1b

SHA512
fa9896a793059751d7c84dd5b98bf4b2825187f1489068b8c57286d3cb7c66bab7e2cf2690f2e9741ba7bd1ca404bf376e5d3238f8f0f1904c9438bc0b4627f0

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
80KB

MD5
0aa108af062ac10db285cf88deb943b9

SHA1
000553bfd761320a86238715c47245698b576872

SHA256
1e55ef85fc93635ade657b88f74cb40acdf2b336f03ec8417afabe3cfb449e9b

SHA512
4c28374ad1abb4608996816d704f66ecf686584756c1ffcdf02adba3be94e6984b719a86e72b68a58843751bef9d686d9d55f85838598a21ee75125d3a02f4a8

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
80KB

MD5
3d17a862c2b6d9605e39646268daa44f

SHA1
528fd317542b184d14e277288be10af0690f50f2

SHA256
b6d4acaa643c64f99519c52f8b41499b5ef225c88150955017e6e843b3ef45d4

SHA512
f7adfee35bb1eef8a84d306c237a003a370292d67310f9db7162b9bf8ace35a4c15fff0add08f71d8795b3f5774cf67d2eff33e4b5b8b3dfc04da91744cd3749

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
80KB

MD5
035dc68cc98a7d3262ddeb51d10c1490

SHA1
5bcfef9d9ca5159f582d56b90a25399d9e51b1d0

SHA256
4bff922ffae29c671207b08d62247064f03c6870337f11cb1203c14689f98258

SHA512
bbc9031e7d0fafc6eae04dc81da2a95ce4bc6f0903c04252fa035e186976a0a88d2a727fb896f379636a251b20e346ef26cd59d1e69ab09881b28f643f935422

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
80KB

MD5
76c9302de51a750856c60a62d3477954

SHA1
8f84f99282f44339f904b9efadd19c6e323802b6

SHA256
6a75a271260d55137947d3fc8eed4afc8c6027fe6b4ee27610e52c09622943c0

SHA512
db1c11058fe7fa72427b96980d74423333f90daad4f1ce40cb8551f9bb23142e593f6429e835e02fbbb70204f2baf5c339ab0ceb7a216f00ca09823c1bd4ebfa

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
80KB

MD5
c7edc1793d174d9fe2cb4503f0097441

SHA1
a6057b43b53acf3747a4fa1560f62a3f4e991563

SHA256
48898225a98fc13a085f2f28edd9e4e401a8758327e296e807ec9da705e181a7

SHA512
fc17f60b0650120d7fb9333db8bfdad22672f7321f4783abf112b575ac1391c69d728939dfbf1ab5d6b8601ce37c9d50271cd0bca3e0a5070e5bfcb6a9cbf6db

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
80KB

MD5
cf779983338925843d98cad0813a1b15

SHA1
75c34a8284406303bc331fdd282b8b6ddc86eb47

SHA256
209010590ff2553acf3993dd5542262647bb34d675b9a51ccf77f35d269f5bbb

SHA512
f0fb693ed11d1f308cbbbf128a4aefd7cf120659eaa7043a3055bd4df7bd90eeec5901165d15354cb438f15641a9c4d7fd053d235bdb676acc3a8beedada9d61

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
80KB

MD5
403102cb34c91757df2ad1cab0922b77

SHA1
7048b09df436bb2622a7ad428c09baf1b3502db2

SHA256
4eb3b8335cbeab2d38534b1e20f5dff4bf449442f2abf9274087f9c7ade197a6

SHA512
385e9fafda256421d97602abf8658d1bebd29020c9cad4205110aaa9c5f3f002165363dd9c86a2c83fb854c51e7d03f16d55ca89d301744e34850670ec54cfb6

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
80KB

MD5
69c816fa5812e321ca7599f161f6216f

SHA1
4cc787f8fdcdb2af516aa7d3baae0779bc4e53f2

SHA256
1109bdb2b37c26d0b88e06daea16f10b3236ac06c2c744663b2ca8426144dd00

SHA512
71121a037ec10e3dc94e415034068d3c266ba30b3cb9733c5bef22d027694003a18e638415f3057b1ad620ea32234c7a0cd649cdc60409116c795e4b678acb67

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
80KB

MD5
4b40b037ab299ea76195caa112ed6585

SHA1
98df0873d564f7811b0f41b006e41dc08455cd1f

SHA256
239dc07d52d80774c35b59e0bad4b1b613da58e5d7b194ec1eb6d7ffc134f87c

SHA512
e6cc66c4b4952b59db4e78b09079a00a24947c9a2ab45455e884bfc423ff50de1b4dc9ec87108b29145ebd3912be4b52f0aa608f7657241ae6507000ca608970

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
80KB

MD5
e953654ea8a13d9e39f5366324b73bdb

SHA1
1f8433dc646c8f5fcfc1247e932907e90ceec394

SHA256
d875c246875e6a3b38b4650b4e9711eb8b3ba94184160e1101c5ef6a11cd7584

SHA512
e4fef4768da4750a4f82b2f2343667a0a109118aa353e6b989b45221c3889329632cc5a3bdeb5d7ac262fee933c2a11855461c6c08ec71adf476767ea50135db

Download Submit
memory/324-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/440-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/516-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/632-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/656-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/748-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1144-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1160-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1288-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-5-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1480-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1544-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1612-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1808-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1812-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1852-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1892-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1908-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2008-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2084-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2092-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2160-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2320-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2568-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2924-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2956-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3244-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3388-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3664-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3776-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3828-273-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3896-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3964-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4036-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4204-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4224-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4248-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4264-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4276-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4380-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4708-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4744-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4972-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5072-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads