a68624dcf9609d5cd4c61afcc6ee1872c10704cde8a2a117ca7de75a49990f70

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f85d90a2cec25988d8e82af5049247d9.exe
Size

377KB
MD5

f85d90a2cec25988d8e82af5049247d9
SHA1

c56e58332ac3bab3a7d749cae7bd8974a6c5dfec
SHA256

a68624dcf9609d5cd4c61afcc6ee1872c10704cde8a2a117ca7de75a49990f70
SHA512

a4e6756bec9a85fee5d0d4fe3e40b9fd50533c1c9a7c8d785590cd89bb7943ce4ff88ba707fddbfb5a2c3da53d673b88be05c30eb21ed60197d421b764c9aa76
SSDEEP

6144:W3IEhXNp5O4KxVdGGSgnohijgAUv5fKx/SgnohignC5V:W3IyO5HdjdMTv5i1dayV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eodlho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlgdkeje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djpnohej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpofpdgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doccaall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djlddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe

Executes dropped EXE 64 IoCs

pid	Process
712	Cpofpdgd.exe
3540	Cekohk32.exe
3656	Dhjkdg32.exe
3112	Dlegeemh.exe
2084	Doccaall.exe
2100	Dabpnlkp.exe
1804	Diihojkb.exe
3916	Dlgdkeje.exe
3984	Dpcpkc32.exe
744	Dcalgo32.exe
4252	Dephckaf.exe
556	Djlddi32.exe
2220	Dhnepfpj.exe
2452	Dpemacql.exe
1612	Dohmlp32.exe
4012	Dcdimopp.exe
1240	Debeijoc.exe
3360	Djnaji32.exe
4604	Dllmfd32.exe
1112	Dphifcoi.exe
1596	Dcfebonm.exe
4100	Daifnk32.exe
3580	Djpnohej.exe
1164	Dhcnke32.exe
2264	Dlojkddn.exe
2896	Dpjflb32.exe
2008	Domfgpca.exe
4188	Dchbhn32.exe
4116	Dakbckbe.exe
4928	Ejbkehcg.exe
4104	Epmcab32.exe
2588	Eckonn32.exe
3632	Ebnoikqb.exe
468	Efikji32.exe
808	Ejegjh32.exe
1564	Elccfc32.exe
4756	Epopgbia.exe
4740	Eoapbo32.exe
3320	Ecmlcmhe.exe
4312	Ebploj32.exe
3508	Eflhoigi.exe
1488	Ehjdldfl.exe
428	Eleplc32.exe
224	Eodlho32.exe
2088	Ebbidj32.exe
2484	Ejjqeg32.exe
944	Elhmablc.exe
4036	Eqciba32.exe
4172	Eofinnkf.exe
528	Ecbenm32.exe
2500	Ebeejijj.exe
1104	Ejlmkgkl.exe
3148	Ehonfc32.exe
1656	Emjjgbjp.exe
3436	Eqfeha32.exe
2768	Eoifcnid.exe
1952	Fokbim32.exe
5056	Fbioei32.exe
4672	Ffekegon.exe
4364	Ffggkgmk.exe
232	Fopldmcl.exe
4628	Fcnejk32.exe
2208	Fjhmgeao.exe
1244	Gcpapkgp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Gkillp32.dll	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Ecbenm32.exe	Eofinnkf.exe
File opened for modification	C:\Windows\SysWOW64\Ffekegon.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Ejbkehcg.exe	Dakbckbe.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Dlojkddn.exe	Dhcnke32.exe
File created	C:\Windows\SysWOW64\Ffekegon.exe	Fbioei32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Fbioei32.exe	Fokbim32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Daifnk32.exe	Dcfebonm.exe
File created	C:\Windows\SysWOW64\Kjeebd32.dll	Fjhmgeao.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Diihojkb.exe	Dabpnlkp.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mlmpolji.dll	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Ppgjkamf.dll	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Jplmmfmi.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Fgpjnm32.dll	Dpcpkc32.exe
File opened for modification	C:\Windows\SysWOW64\Dpemacql.exe	Dhnepfpj.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Ffggkgmk.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gjocgdkg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7564	7476	WerFault.exe	317

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genjanmh.dll"	Djlddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Domfgpca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphbondi.dll"	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhjkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omccgkde.dll"	Dcdimopp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dllmfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbehnol.dll"	Dhjkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjmif32.dll"	Dhnepfpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epopgbia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampkqqjm.dll"	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcfcpdf.dll"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgaen32.dll"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojjgcdm.dll"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgegko32.dll"	Diihojkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dphifcoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkcdljbo.dll"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bamagp32.dll"	Dlegeemh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojeoiop.dll"	Dpemacql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojigmkeg.dll"	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 712	656	f85d90a2cec25988d8e82af5049247d9.exe	86
PID 656 wrote to memory of 712	656	f85d90a2cec25988d8e82af5049247d9.exe	86
PID 656 wrote to memory of 712	656	f85d90a2cec25988d8e82af5049247d9.exe	86
PID 712 wrote to memory of 3540	712	Cpofpdgd.exe	87
PID 712 wrote to memory of 3540	712	Cpofpdgd.exe	87
PID 712 wrote to memory of 3540	712	Cpofpdgd.exe	87
PID 3540 wrote to memory of 3656	3540	Cekohk32.exe	88
PID 3540 wrote to memory of 3656	3540	Cekohk32.exe	88
PID 3540 wrote to memory of 3656	3540	Cekohk32.exe	88
PID 3656 wrote to memory of 3112	3656	Dhjkdg32.exe	89
PID 3656 wrote to memory of 3112	3656	Dhjkdg32.exe	89
PID 3656 wrote to memory of 3112	3656	Dhjkdg32.exe	89
PID 3112 wrote to memory of 2084	3112	Dlegeemh.exe	90
PID 3112 wrote to memory of 2084	3112	Dlegeemh.exe	90
PID 3112 wrote to memory of 2084	3112	Dlegeemh.exe	90
PID 2084 wrote to memory of 2100	2084	Doccaall.exe	91
PID 2084 wrote to memory of 2100	2084	Doccaall.exe	91
PID 2084 wrote to memory of 2100	2084	Doccaall.exe	91
PID 2100 wrote to memory of 1804	2100	Dabpnlkp.exe	92
PID 2100 wrote to memory of 1804	2100	Dabpnlkp.exe	92
PID 2100 wrote to memory of 1804	2100	Dabpnlkp.exe	92
PID 1804 wrote to memory of 3916	1804	Diihojkb.exe	93
PID 1804 wrote to memory of 3916	1804	Diihojkb.exe	93
PID 1804 wrote to memory of 3916	1804	Diihojkb.exe	93
PID 3916 wrote to memory of 3984	3916	Dlgdkeje.exe	94
PID 3916 wrote to memory of 3984	3916	Dlgdkeje.exe	94
PID 3916 wrote to memory of 3984	3916	Dlgdkeje.exe	94
PID 3984 wrote to memory of 744	3984	Dpcpkc32.exe	95
PID 3984 wrote to memory of 744	3984	Dpcpkc32.exe	95
PID 3984 wrote to memory of 744	3984	Dpcpkc32.exe	95
PID 744 wrote to memory of 4252	744	Dcalgo32.exe	96
PID 744 wrote to memory of 4252	744	Dcalgo32.exe	96
PID 744 wrote to memory of 4252	744	Dcalgo32.exe	96
PID 4252 wrote to memory of 556	4252	Dephckaf.exe	97
PID 4252 wrote to memory of 556	4252	Dephckaf.exe	97
PID 4252 wrote to memory of 556	4252	Dephckaf.exe	97
PID 556 wrote to memory of 2220	556	Djlddi32.exe	98
PID 556 wrote to memory of 2220	556	Djlddi32.exe	98
PID 556 wrote to memory of 2220	556	Djlddi32.exe	98
PID 2220 wrote to memory of 2452	2220	Dhnepfpj.exe	99
PID 2220 wrote to memory of 2452	2220	Dhnepfpj.exe	99
PID 2220 wrote to memory of 2452	2220	Dhnepfpj.exe	99
PID 2452 wrote to memory of 1612	2452	Dpemacql.exe	100
PID 2452 wrote to memory of 1612	2452	Dpemacql.exe	100
PID 2452 wrote to memory of 1612	2452	Dpemacql.exe	100
PID 1612 wrote to memory of 4012	1612	Dohmlp32.exe	101
PID 1612 wrote to memory of 4012	1612	Dohmlp32.exe	101
PID 1612 wrote to memory of 4012	1612	Dohmlp32.exe	101
PID 4012 wrote to memory of 1240	4012	Dcdimopp.exe	102
PID 4012 wrote to memory of 1240	4012	Dcdimopp.exe	102
PID 4012 wrote to memory of 1240	4012	Dcdimopp.exe	102
PID 1240 wrote to memory of 3360	1240	Debeijoc.exe	103
PID 1240 wrote to memory of 3360	1240	Debeijoc.exe	103
PID 1240 wrote to memory of 3360	1240	Debeijoc.exe	103
PID 3360 wrote to memory of 4604	3360	Djnaji32.exe	104
PID 3360 wrote to memory of 4604	3360	Djnaji32.exe	104
PID 3360 wrote to memory of 4604	3360	Djnaji32.exe	104
PID 4604 wrote to memory of 1112	4604	Dllmfd32.exe	105
PID 4604 wrote to memory of 1112	4604	Dllmfd32.exe	105
PID 4604 wrote to memory of 1112	4604	Dllmfd32.exe	105
PID 1112 wrote to memory of 1596	1112	Dphifcoi.exe	106
PID 1112 wrote to memory of 1596	1112	Dphifcoi.exe	106
PID 1112 wrote to memory of 1596	1112	Dphifcoi.exe	106
PID 1596 wrote to memory of 4100	1596	Dcfebonm.exe	107

C:\Users\Admin\AppData\Local\Temp\f85d90a2cec25988d8e82af5049247d9.exe
"C:\Users\Admin\AppData\Local\Temp\f85d90a2cec25988d8e82af5049247d9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\SysWOW64\Cpofpdgd.exe
  C:\Windows\system32\Cpofpdgd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:712
- - C:\Windows\SysWOW64\Cekohk32.exe
    C:\Windows\system32\Cekohk32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\SysWOW64\Dhjkdg32.exe
      C:\Windows\system32\Dhjkdg32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3656
    - - C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
      - C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        23⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        26⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        27⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        31⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        32⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        33⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        37⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        39⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        40⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        42⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        44⤵
        Executes dropped EXE
        
        PID:428
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        48⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        49⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        51⤵
        Executes dropped EXE
        
        PID:528
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        52⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        54⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        60⤵
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        62⤵
        Executes dropped EXE
        
        PID:232
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        63⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        65⤵
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        70⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        71⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        72⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        73⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        74⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        75⤵
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        76⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        77⤵
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        78⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3800
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        80⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4380
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        83⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        85⤵
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        86⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4608
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        88⤵
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        89⤵
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        91⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2696
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        94⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        95⤵
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        96⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        97⤵
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        99⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        100⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        101⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5180
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        104⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        105⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        106⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        109⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        110⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        111⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        112⤵
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        115⤵
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        117⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        119⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        120⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        121⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        122⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        123⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        124⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        125⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6140
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        127⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        128⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        129⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        130⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        131⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        132⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        133⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        134⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        139⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        142⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        145⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        147⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        148⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        149⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        150⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        151⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        152⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        155⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        157⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5972
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        159⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        160⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        161⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        162⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        163⤵
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        164⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        166⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        168⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        169⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        170⤵
        Drops file in System32 directory
        
        PID:6576
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6612
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        172⤵
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        173⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        175⤵
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        176⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        177⤵
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        178⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        180⤵
        Drops file in System32 directory
        
        PID:6976
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        181⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        182⤵
        Drops file in System32 directory
        
        PID:7060
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7100
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        184⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        185⤵
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        186⤵
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6272
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        188⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6480
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        191⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6600
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        193⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        194⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        195⤵
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        196⤵
        Drops file in System32 directory
        
        PID:6908
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        197⤵
        Modifies registry class
        
        PID:6956
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        199⤵
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        200⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        202⤵
        Drops file in System32 directory
        
        PID:6436
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        203⤵
        Drops file in System32 directory
        
        PID:6544
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        204⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        205⤵
        Drops file in System32 directory
        
        PID:6824
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        206⤵
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        207⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7008
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        209⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6532
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        211⤵
        Drops file in System32 directory
        
        PID:6784
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        212⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        213⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        214⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        215⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        216⤵
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        217⤵
        Drops file in System32 directory
        
        PID:6664
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        218⤵
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        219⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7012
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        220⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        221⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        222⤵
        Modifies registry class
        
        PID:7228
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        223⤵
        Modifies registry class
        
        PID:7268
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        224⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        225⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        226⤵
        Drops file in System32 directory
        
        PID:7396
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        227⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        228⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 400
        229⤵
        Program crash
        
        PID:7564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7476 -ip 7476
1⤵
PID:7540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cekohk32.exe

Filesize
377KB

MD5
8fa312f7d881215c2d82f9d6d92ea78e

SHA1
ae8d588c6de924a69396b7cff7312eeacb0fbcd1

SHA256
08ff3c80206e576a3c4f8142351c1a3cd0f9097b718ba79fcd83233ce25ea4e9

SHA512
53f1ea495ed4e45503c700a61dfa522958a237f5c371d98ee71e5180cbc7e3df2ad1aa6ad2cccb4f7f7434cff3647799ad77b77b8f985dc35f2829098ea61e0e

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
377KB

MD5
1a943c228d5bedd3b269b41ff2b1023e

SHA1
53d8cc3f265ba2d47f23027d10cf0b21e00e872b

SHA256
f3014991c95815ca0ea9d8b97fcfc027a77f2e843298627f764b0075ba181665

SHA512
621b159ad34d8dc89318f8d1b64f57b810404ced2045cef3954a1e7b9cbad5ed19e6b84769075d7c51e745bdf75f48dc81b131d3d097b0a98fae2960382ccd5e

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
377KB

MD5
6d863606640414603dd6d28de7fd7b7a

SHA1
8a8d7cbf80f31bdc0a8c0e558f2421a636cdf9c7

SHA256
f9dd34a88e53775f4bdcc7f586192fd8dd0933d6019679e42c50eaa568c6155d

SHA512
abac74c80805281525fc897964a5545a8527faaf4f9ed4d986af2964bbd73d0769650208fa30a51cbda7f521b4d61fcb011657eb063870ba18d79124bd7301d8

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
377KB

MD5
6a2dd9c3e04b4326c566837f45ece7d2

SHA1
e2b2fe6016bbfcb91506576b85aea955fef8c7bb

SHA256
7e30de42e4821b47882a8ed758ce8c9d1b042c79c617c99aea3cafb71105fb95

SHA512
ef1253b260933879d96898736c7aa7f61d7e24fd51d3906a1cfe231e7fb8b83d1380cff55f8cab1d9d41b3f78e442593f312e9ccbdaa47265eb2fd3961df63b6

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
377KB

MD5
fcf8fd20eaff36edecd07c57e3151336

SHA1
62ad439353b75e188c9b41122d8ad129828b6680

SHA256
443bea280f93574a1a6b3d5f065ed0d4dafecf31da55a99fa9069fc1ca2da594

SHA512
cdf1cbf8e0ba87ce9ebe475dd27e6b15c347fa15bc714dfeba53cf2b63f4bc73f57de8a071925723d18ff5c4ac940aa161c1a1f58d458ee023747570467e4b47

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
377KB

MD5
f03d75f4e367fea009f9ee93aaf11772

SHA1
eb1085ac9ce8696ad9390618d3ca32d6c529f338

SHA256
38f9188eef63e56889f8dcb62522a28a7e94e0f9a81016d8458bd68e91514a1e

SHA512
cb126fe54e563302a7ef59566a169ddfc9dc06b2ccda5fcf08568bd3da73471f17fae221286b9cb4c0ed86cab8961b1dbe625c124d20c10f1e6fea7bc5982c2a

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
377KB

MD5
f2171ba35da18a90a02cd7ff7af6712f

SHA1
5c1b1b64b9ff2a2415a6ce144877c319c8091667

SHA256
003fdfd34ba92682558b2b7d7ae772d1dc9ec236866bc1a042c2a3324300215d

SHA512
1b3c0cc3f19bc5e2d6b2e26fec71e88b9bbc3b1b07ac7a7954d9319e8cc43983e0e481d9fe6ef029b3df91e6d3e08e40b12467738811fcb41e57869588ac2645

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
377KB

MD5
6b95b83a8581128fcf7d00f15d6dad46

SHA1
4af1d99e6c367a86b1ad7407ef4ca4fcc5a8d87a

SHA256
9a976a9f75f725fa1f1f9bc320535e3e921d410c45147acd69b7262e5d83f7f2

SHA512
61e9b75846aad0624485c63dd8566bb5ac4d6fe7514878eaf07ee404271b78ca14dcb5c31453f8ddbb20feaaf6ebb33470e92a6f116fff304d81376891e10014

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
377KB

MD5
02828b42ec9aed5b78ec6176dce41ced

SHA1
33e058ea170a4825b6b29e1f23b236f4f6d7ad04

SHA256
3d03b3550f9f0f1b7bbd7edf9827f9f0c368e71ad4f165f398b8bfe044a98330

SHA512
e3fd84a5b1a50173e415edd0d73ce406f0a862aa06ac927dda4fcb01a2bb6705c41cb6bf155f04760955f19e1219f7dd4a597aee4263daa713ede126c2b560cc

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
377KB

MD5
b6beb1f6e1a07a05309bc4f7af6286c5

SHA1
8757a6e4915f163d9379f74a8717672e98f62890

SHA256
1b903590fa29eeb8d0f6346399bb74b787888735913663a1f1adde3b981fb7ee

SHA512
03b53dd2986de9a438e79545b544201914e9344e649a473b2f69a6569ef11b54fe71e8e0f5fd53b57e9f1f8c14539503bdfa9705a94b639603ff6636ea5be840

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
377KB

MD5
3e92c2257f7db066325701d3cbe9beb6

SHA1
fd166fbb302297a586881074674e4b457d35168d

SHA256
0b787d4824363ab01aeb9dc8d5837246801a7d9a3662f0faabaf3b55ec4da494

SHA512
2bd4db2af6510fa1ec93f0829296e9e5e09feeb76ffe208849e754e72068e74767fb19bb0375872623d52b4b4e08300feaf8250b02e48ecdeea9095fa151f45c

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
377KB

MD5
127b3a94c44f4ce50f0cac5efe206d3b

SHA1
d97c2c1c580a3f79cc4c111188b27ecf019490c0

SHA256
f75f0add4f82ca6e68cf46cc6c338912326e4eeb8872fad7d748892335b2293f

SHA512
d1b24e22cd3d6069e4f62169b1264b658365e38fa8e6ed272230a5fd599aed495137a74cb78e5ef65054eebfe1bbbe6ec718b1722a96e0e943e083577a51db92

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
377KB

MD5
7f1ed67a12e768e5d590e092f29dc36d

SHA1
ba0afd27546162c57aee2004ef092e9a1a8c5035

SHA256
5551622a843233f3caa8044c407d6262d14c15f900aa440b134c69bdc326c91f

SHA512
635bd453ea918cfb4cd59e93f60bfad50d1aabd025dce3e2b749d51a7e6ef69fe34017aba006cd1f7361b5c6b6f9209acca2b2c49dd75df67d5ebb50e135ebf2

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
377KB

MD5
eeea8739cf04d0210a21c8f80997020b

SHA1
f6427de2da2d1f929139e76ee8b16f20ea76f20c

SHA256
92c54d12551b0bb3384710c028fc2240485bdaa2b6e5c4de4abfe4c40d33d50d

SHA512
18ffa79cfcc866e009650bdf920fa7c81e867a54edd9bc5a329fcd5d0f544943690ef8ddc2c99bc2362da73eed917774201e3656e937f91ea8997184d989f37f

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
377KB

MD5
e5f694afb7c147826fd3db0e9fe6ccba

SHA1
cedc853a63907f660fa67196f0cac2cff6176349

SHA256
e8d683a6dd5a208d0efdf6bbcf61129599fa1490c9719934a939388f8fb4d483

SHA512
338505c5d79504025892944fd33fe9362df359be402c1368535534fb6a0505fffe3e7071f7ed0900b8dbeded355d45affaaf7541ba647ac8ba84e0151084c30d

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
377KB

MD5
f5dcbd074a15875876398c619a28e937

SHA1
1918a28bd53fef57b40d94295ab0911a1ca44133

SHA256
ed569ded453a4b4818b7f82b354bfd5046652be403157b41e5786c01499b380b

SHA512
402cbac351d94b7c2b9610a8ab6952fcca758439fdb712d5e502190c8a95f144dcd84d6940928b6d36e86282c27af22a8683579dbb1595e83a8c5f80206345ad

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
377KB

MD5
193a4c8d2c992429ab538d0f4bc58b81

SHA1
b37643f19b5f0df0e39474988a9ad75f552a3d0f

SHA256
f95df20fdda5d26d0eaf8d4e50aa746f3eac6ec546c3d2ee258fa4cf19b52a55

SHA512
19638639deeb78f0e11b36f3c5a65672f7d9945c7902c531f51974de19470ed8ef5d2e8e4b2162dcc616b9e7a10060f189112185be90461dd87e7aeaee6c29da

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
377KB

MD5
f20022de8e0c80f27514a3de3593b01c

SHA1
9763d89edb62ff85fa404a843ca820df787c0c05

SHA256
cd640039d1e7c132124816294a4ddeade8380a61fbfceccd8cf2333361bd4251

SHA512
358475c76e03cfb78ade3650f25dbadd75b58229a2dfafc33af17d3847762b273a9a50ff33a5f228eda53338914aa1cd73be58ce82402a04a52135335a04a231

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
377KB

MD5
0e1d00234d584940b0e4c148244b35aa

SHA1
8a13689ccca55ee42ec914f936136b3b59503c07

SHA256
79aa9faa660b4bb4592a593b067446a7161f64ed269c8bf0bbab076b7041e429

SHA512
fdd92a3a0b279375843cbf5485dd212164f6bea403ddb75795c90a925f3f12a152469cf73b6a8b3bbaee63a153d604bccbb857faf7258e8f03a2c19e68243db4

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
377KB

MD5
434946f24cd161275707fbc028323e26

SHA1
80392edbad88b8464d86d0019b621bef9803521a

SHA256
433283fa8237f8da04b2482bfcbc0f41135a676fb7cc1eb2ffebaa9aa1d95b71

SHA512
409cb70cb70fae05ce0aae5476b24f0d65cffb145ad88f5d1c196cbb56879c1af9a83216519e84aa4ab3fe4f6dd4bc319a526caf8d4cbf89df743baca540c248

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
377KB

MD5
279ca67a8cd86018fe743d0ea51f34ad

SHA1
1a8072111d9f61094aa034e00e25db6585c8aa00

SHA256
cbe7e95234324fce33d2909ded34cc78552a5a14f6d93688bd0518a8f285736a

SHA512
bb804377e5a8b4e10addb63f896cb86fddb4526d296d24a7fb4479d1e372df96a7e6fd1dc13fe888d7657652d3aa8e7fa4b16aa947d8032142f0414b70c8835a

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
377KB

MD5
a8f990f434c38380934495be35f96f8a

SHA1
d6d81ccfdb90d5e294ec4cef1436e8ed5af66c31

SHA256
4876c54e94173d511428f56a81fc426425967a1878873c443687333917194365

SHA512
63b24e9681335708f1731a08268a72b8a28d82f20dce815e97cb7e3b98cff169b602741ae816766250e8d8e8769cdc0de2380e30799a8e77387b685647a9dc72

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
377KB

MD5
eb3b759b7de4d432d4fcadb147be4e6e

SHA1
2a3c873f8f4d26e53aec22ddddce4b57ba377899

SHA256
8d3c46e875a1e814390306d39237f8c55c50a16ee86e450353f32b2009d0e1cd

SHA512
2c55641bf8b9dcb5b6abb48ea2567ba7f7c1049d43841f5399df8a39c0d554ba7c8411199e30581b614f95d63617b8af94bef6785c54c427831de5b92f49154f

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
377KB

MD5
8117ea8cd02cea32662d15724553d919

SHA1
b810a0bda09d08d8658b4d0693320b4491ce6a47

SHA256
7fd086a6fc49544a8b91a3f0be7abe46980584886a934db290fb0a1488715a5c

SHA512
51505a6e1f041eae53d1d91e95079c0179d65917819507982098a1fc11987a9404ba6e9884795e99db494124142756d002163ff439cb8a49464fda31861d0dab

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
377KB

MD5
c421784b33fc08bde99b67fa67059fc4

SHA1
d283bddd01529d1fd3c542acfba272e1a7750ca5

SHA256
67a5ed32af48d375a797f86f14692c288db816f45afbac94558a1e2cb30414c2

SHA512
b666413cf7cdbbb05b72ebb308a67ef6e14e610111fb245f511bcf6c9c233b4527c75ca3c358f00ddb540ba0d03a0c791400c09c5192a55a47883c08f95bb4f4

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
377KB

MD5
5b4d1632e827b85fb143a034770993e7

SHA1
af9ef3b32436141ac187864abcd0179b9780743b

SHA256
4969fce5567f54b4afaf9e4bc24c6500c8a68d13e0b52d07109ae5694dcf1f56

SHA512
63fe2a3b9738d0e8cbd4f6dc1521fccd62553406529a76c04889bd50fa2921fd27994fe1ee74ecfddd1305331d5ffdfe7459e6af31ba74730f2ae55ce1f647b4

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
377KB

MD5
037c11cc437a859d62e0df88e5c7556a

SHA1
f62e3c004836137e29ab475dda1f152c9cd32f36

SHA256
1e04b83dbbafcc9ffca1763bbff1bbd0c74b7ff2f4481f37df7561a154f712d8

SHA512
96e57d1caf093a13a20e01f34ef0919bef9da3f8f06165fed9c44cc236576e23aa2c2aed886a77960c332cbd4d212bf3449eff7408179af0b425e74c453b02ab

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
377KB

MD5
e9e9ca667daf04561851a7800a634358

SHA1
896efdd222bb4fb5c778c981ad7cb1937d83a8a1

SHA256
5ad0590748ed11c849b520075823d02531856435fe318a39e1e5feee044fafb4

SHA512
0612860b88c95d1a0cd404cb476f7f6e73ab32d55ffb9f699e2ff5edda8f3c77c45f76b3161434579b1af52957cd4eb830ddc96c2dc585208d82f6dd144d408e

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
377KB

MD5
c7b865e36ddf0f1f6138ce86b05cc704

SHA1
9c6c9552ea70d2c92446744dd92ea9a75fa0408c

SHA256
ff77e001f69a2c895f251aa6d66537eba0f3c1d38974b19ad50a55b71e630697

SHA512
d9d586e96857d2f62d7551d5a03b1c32202c38e5779d75892fc16ae20a6280c9fcad0a4d900d1f67f2575dffc19b4aefffef6c5677f7b64e8f901a632ff11aef

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
377KB

MD5
ee7d9a2b23251fb4ded7af3731c3f5d2

SHA1
0172a05dec83a50d2cd2540d5a71548101190b22

SHA256
1ab7b9e3f733d580618f013e1e95dae9332a0b189835628b27c285389b553df4

SHA512
1a92f6b48281480e678d7af24c3f29b6c056ab9174bc2ef7635b4de77f035bce748c48fbab9cad1e5a4e1ff3880274fb56e02225d028239a1210d655b6960437

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
377KB

MD5
db48a8a46bf40c93e68ec3b44392d48d

SHA1
9c3789d19760580dc9e1e508004df077c612c574

SHA256
54eadb249986eadaa70f6193b5d147789650f22ca3b7f51fd66c8f5876be46bf

SHA512
94bd88253cc97768a46a74410c86f7797a00153b07d3a766d0b68e05ba04c1aa630850bb1a6613b8936a7831ce697f2a24969d4e2de158e1ee9947322afc2486

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
377KB

MD5
cf22015ab198199953031b4170e8c7f6

SHA1
35b8682195b2b06e896f4ca92466afd3aa98beec

SHA256
ecfa5a7a2d08acf65dbbd3435e4020950db2166cd7a89eebfdab399482bc8cff

SHA512
82a376c68541b55aa6ce503b5c6ea03ee23ba5472f9608d31d929256b2415967425a0ffb0457b2e8045d7539f55faf1be4b7d2c0fa12670aaac340715a3cf00e

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
377KB

MD5
97c4c33fc52745970fe477a5da34fed6

SHA1
77ec9ebb3a64656b8fd9be7ed2eb2f8db86cdd6b

SHA256
69544592438b38f0055ee3816e3f98ffe0280a4a2528d11b3da2a64fb7c44a1c

SHA512
afb8d0f74b5032424f5c148edebebfb0f1a94aa9a87f5a04923873f9ba175bdf3786edda0158e91a0167606cbcdec59fa9ccbdbda45ae4a89210bbcc85c0b6f1

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
377KB

MD5
7131c5922c4cf866cf5af9505fbba666

SHA1
f84f40b39da0ab70aa5c6a3508755b6273fe28d8

SHA256
61f20a3350437c69ff5b6edcf14ff41582020e38cb09666569e528de8bc54062

SHA512
9a9ffdcd0c867ed5eea528030b777db13ee76b983ee8ddf0fecaee8ab65009300ab9e6780cf95ef4b7e6a2172bdf49dae8a22cdfec7f23d72988d424075aa404

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
377KB

MD5
b5177cebcd63a5d7be6822a14233c488

SHA1
5c7635effdc2898fc4801530b7953e1c1443b679

SHA256
d9d3310ecdbf211d3b0a89381da62136c510bb1639465fae3047511b8c8bdf1d

SHA512
de680dcfddb4a62fd32f8663bdcfea9bfb610231b190b2af080bfe6adb0fdb70c6ff30f9dcc7543759cb161d3871597250801562afbc52044192ecb0820f19ed

Download Submit
C:\Windows\SysWOW64\Ipckgh32.exe

Filesize
377KB

MD5
ce0725fc251704908edd7c0e25ae5a45

SHA1
72c8344ae58f841c1ac790a1f94d23a383f8a917

SHA256
cf616ec73f1c90c23cd705043fd05682c1f9621ea4610220f1d5f25b8b3e3b16

SHA512
ede8b90e5490112b3c286069c22f4e6ef9d2e6dce4d84fe7c1eef1ea90890bfb57b685f6b15f80697704de2ae68aaf66d3d02dbd9f64da761b0393698dc34b61

Download Submit
C:\Windows\SysWOW64\Jmnaakne.exe

Filesize
377KB

MD5
6af4d8cdafcbdd4b39b08e9f0f0cda0c

SHA1
33fec3b33b0775d0febe07638e48f854a3780de2

SHA256
9741f7590f6f60a222dc26b141219ae28b837c85738a34b2c9fe6fd4c53ea315

SHA512
6ddbf65a314a018e74ffea2cce56980ca06d08a5fb6393ccc4b4d07baf858f9af967397b6d7fe2ec069a4d295c1c320b0ddbfad0f34c83d56da80ceafa0bd559

Download Submit
C:\Windows\SysWOW64\Jpojcf32.exe

Filesize
377KB

MD5
91af1a58f3ab9e0a395a60c93ade524a

SHA1
cede0e9c6816546068f15c0d914907879fbb7fa4

SHA256
cad0b34c0804989f555ef2166638288263792d380d850b2d98c85254eed473e8

SHA512
07c3908854d8bb3b3c2a882cde3673938d4b816bb2887c65a3fa95d7165aff8008fcaf3cf568bf4ec7f498a50cc2aff338e26947dcf8041a044aff81f06d2999

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
377KB

MD5
de21bac8637757047ad03b184a40e2d9

SHA1
e9a0ce8d1ace65401bd89c1b64f219f70f0dc8d1

SHA256
968ef6a1816af307ee7b0b83fff70aa266ece04d138ad5633d45a7388b5d016b

SHA512
075ac65c94f82216e7ecea927c8b58d7d3b237ba33e94a86ff92ec9609bef2235d05d7b2044204da7d140af48cf8375971ee30fa379326286339fdcc20326d23

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
377KB

MD5
fb6cb070ab5681400486b2320818a89f

SHA1
610a20d60bd1c4efb9c1657d449fd3e50c805613

SHA256
9f69b852d52d836fa3d45a1471bf0a9c7db87295e8465a9ce5a433ff409a6f9f

SHA512
dd7e01590deb018fe57331d8f950f84e1857942b0a9337b84ef0be15c5858921e09124842675045da08cf4aa37c7637e44d33cdb3486bf135e2727cc95c00a99

Download Submit
memory/428-409-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/468-394-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/528-416-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/556-371-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/656-5-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/656-0-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/656-465-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/712-9-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/744-365-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/808-400-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1072-579-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1104-421-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1112-376-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1236-487-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1516-521-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1532-447-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1552-445-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1556-492-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1596-381-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1660-448-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1804-352-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1952-430-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2084-349-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2088-415-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2100-351-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2204-563-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2208-440-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2264-384-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2380-466-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2396-531-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2452-372-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2588-393-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2632-463-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2696-580-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2896-385-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3112-33-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3148-423-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3208-494-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3320-402-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3360-374-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3436-424-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3508-408-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3540-17-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3580-383-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3656-25-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3800-510-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3916-353-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3984-359-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4012-373-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4188-391-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4328-560-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4364-437-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4444-545-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4492-586-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4604-375-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4608-551-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4628-439-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4672-432-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4756-401-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4780-543-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4792-601-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4928-392-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4984-533-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5056-431-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads