274625868088d92689ebe4d9035704b3bf20b594518135b8f00089d6672c717a

Analysis

max time kernel
93s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a58bcd72903b4b10d0a284a33929cba.exe
Size

101KB
MD5

3a58bcd72903b4b10d0a284a33929cba
SHA1

b830312f8ec6d07aa6b3c9cb126c831e589430f1
SHA256

274625868088d92689ebe4d9035704b3bf20b594518135b8f00089d6672c717a
SHA512

87ec99ab633ab90728abb2d5c858670811593724f312d0dc2e453db98e8ecbdc97d900076b42e3a573188b708a58bb31568255d4c3f0c4b0272e8fc13e483272
SSDEEP

3072:behRzoTJFPhOe3i3/zrB3g3k8p4qI4/HQCC:bEzoTzfuPBZs/HNC

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3a58bcd72903b4b10d0a284a33929cba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Commqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Clnadfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpcpkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cojqkbdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fobiilai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhjkdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpjqhgol.exe

Executes dropped EXE 64 IoCs

pid	Process
4952	Clldogdc.exe
4064	Cojqkbdf.exe
3960	Caimgncj.exe
2900	Cedihl32.exe
1860	Clnadfbp.exe
4168	Commqb32.exe
2936	Cakjmm32.exe
3576	Cibank32.exe
3668	Clqnjf32.exe
2728	Coojfa32.exe
1428	Ceibclgn.exe
5076	Cpofpdgd.exe
4876	Ccmclp32.exe
2188	Cekohk32.exe
1644	Digkijmd.exe
3768	Dhjkdg32.exe
3028	Dpacfd32.exe
3284	Dcopbp32.exe
4236	Dpcpkc32.exe
1216	Djlddi32.exe
3920	Dhnepfpj.exe
3364	Dohmlp32.exe
3136	Debeijoc.exe
3484	Dhqaefng.exe
1912	Dphifcoi.exe
3220	Daifnk32.exe
4460	Dfdbojmq.exe
2044	Dhcnke32.exe
3128	Dpjflb32.exe
3304	Dchbhn32.exe
4324	Ejbkehcg.exe
1172	Ehekqe32.exe
4036	Epmcab32.exe
4428	Eckonn32.exe
1152	Ebnoikqb.exe
1248	Ejegjh32.exe
1028	Elccfc32.exe
4940	Ecmlcmhe.exe
1220	Ehjdldfl.exe
2424	Eqalmafo.exe
4400	Ebbidj32.exe
4484	Elhmablc.exe
2436	Eofinnkf.exe
908	Ebeejijj.exe
4220	Ejlmkgkl.exe
1076	Emjjgbjp.exe
3804	Eqfeha32.exe
8	Ecdbdl32.exe
1640	Ffbnph32.exe
4116	Fmmfmbhn.exe
532	Fqhbmqqg.exe
1572	Fbioei32.exe
4944	Fjqgff32.exe
4028	Fmocba32.exe
4844	Fqkocpod.exe
4960	Fjcclf32.exe
2064	Fifdgblo.exe
1156	Fckhdk32.exe
684	Ffjdqg32.exe
3384	Fjepaecb.exe
768	Fmclmabe.exe
4564	Fobiilai.exe
4984	Fcnejk32.exe
4192	Fflaff32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Icjmmg32.exe	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Ehekqe32.exe	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Fjqgff32.exe	Fbioei32.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Miimhchp.dll	Elhmablc.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ebbidj32.exe	Eqalmafo.exe
File created	C:\Windows\SysWOW64\Jcgaen32.dll	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Gfnnlffc.exe	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Gcekkjcj.exe	Gmkbnp32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Cpofpdgd.exe	Ceibclgn.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Fkokhc32.dll	Dphifcoi.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Dohmlp32.exe	Dhnepfpj.exe
File created	C:\Windows\SysWOW64\Omccgkde.dll	Dohmlp32.exe
File created	C:\Windows\SysWOW64\Dphifcoi.exe	Dhqaefng.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Fopfdhej.dll	Caimgncj.exe
File created	C:\Windows\SysWOW64\Gogbdl32.exe	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Dhqaefng.exe	Debeijoc.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Eckonn32.exe	Epmcab32.exe
File opened for modification	C:\Windows\SysWOW64\Emjjgbjp.exe	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Hakfehok.dll	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Dhcnke32.exe	Dfdbojmq.exe
File created	C:\Windows\SysWOW64\Ecdbdl32.exe	Eqfeha32.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ehekqe32.exe	Ejbkehcg.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Ccmclp32.exe	Cpofpdgd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7820	7728	WerFault.exe	312

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cedihl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpcpkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdghlnlo.dll"	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfliccm.dll"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caimgncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceibclgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlnpc32.dll"	Ceibclgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccmclp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odhibo32.dll"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedmgfjd.dll"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3a58bcd72903b4b10d0a284a33929cba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fflaff32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 4952	4280	3a58bcd72903b4b10d0a284a33929cba.exe	86
PID 4280 wrote to memory of 4952	4280	3a58bcd72903b4b10d0a284a33929cba.exe	86
PID 4280 wrote to memory of 4952	4280	3a58bcd72903b4b10d0a284a33929cba.exe	86
PID 4952 wrote to memory of 4064	4952	Clldogdc.exe	87
PID 4952 wrote to memory of 4064	4952	Clldogdc.exe	87
PID 4952 wrote to memory of 4064	4952	Clldogdc.exe	87
PID 4064 wrote to memory of 3960	4064	Cojqkbdf.exe	88
PID 4064 wrote to memory of 3960	4064	Cojqkbdf.exe	88
PID 4064 wrote to memory of 3960	4064	Cojqkbdf.exe	88
PID 3960 wrote to memory of 2900	3960	Caimgncj.exe	89
PID 3960 wrote to memory of 2900	3960	Caimgncj.exe	89
PID 3960 wrote to memory of 2900	3960	Caimgncj.exe	89
PID 2900 wrote to memory of 1860	2900	Cedihl32.exe	90
PID 2900 wrote to memory of 1860	2900	Cedihl32.exe	90
PID 2900 wrote to memory of 1860	2900	Cedihl32.exe	90
PID 1860 wrote to memory of 4168	1860	Clnadfbp.exe	91
PID 1860 wrote to memory of 4168	1860	Clnadfbp.exe	91
PID 1860 wrote to memory of 4168	1860	Clnadfbp.exe	91
PID 4168 wrote to memory of 2936	4168	Commqb32.exe	92
PID 4168 wrote to memory of 2936	4168	Commqb32.exe	92
PID 4168 wrote to memory of 2936	4168	Commqb32.exe	92
PID 2936 wrote to memory of 3576	2936	Cakjmm32.exe	93
PID 2936 wrote to memory of 3576	2936	Cakjmm32.exe	93
PID 2936 wrote to memory of 3576	2936	Cakjmm32.exe	93
PID 3576 wrote to memory of 3668	3576	Cibank32.exe	94
PID 3576 wrote to memory of 3668	3576	Cibank32.exe	94
PID 3576 wrote to memory of 3668	3576	Cibank32.exe	94
PID 3668 wrote to memory of 2728	3668	Clqnjf32.exe	95
PID 3668 wrote to memory of 2728	3668	Clqnjf32.exe	95
PID 3668 wrote to memory of 2728	3668	Clqnjf32.exe	95
PID 2728 wrote to memory of 1428	2728	Coojfa32.exe	96
PID 2728 wrote to memory of 1428	2728	Coojfa32.exe	96
PID 2728 wrote to memory of 1428	2728	Coojfa32.exe	96
PID 1428 wrote to memory of 5076	1428	Ceibclgn.exe	97
PID 1428 wrote to memory of 5076	1428	Ceibclgn.exe	97
PID 1428 wrote to memory of 5076	1428	Ceibclgn.exe	97
PID 5076 wrote to memory of 4876	5076	Cpofpdgd.exe	98
PID 5076 wrote to memory of 4876	5076	Cpofpdgd.exe	98
PID 5076 wrote to memory of 4876	5076	Cpofpdgd.exe	98
PID 4876 wrote to memory of 2188	4876	Ccmclp32.exe	99
PID 4876 wrote to memory of 2188	4876	Ccmclp32.exe	99
PID 4876 wrote to memory of 2188	4876	Ccmclp32.exe	99
PID 2188 wrote to memory of 1644	2188	Cekohk32.exe	100
PID 2188 wrote to memory of 1644	2188	Cekohk32.exe	100
PID 2188 wrote to memory of 1644	2188	Cekohk32.exe	100
PID 1644 wrote to memory of 3768	1644	Digkijmd.exe	101
PID 1644 wrote to memory of 3768	1644	Digkijmd.exe	101
PID 1644 wrote to memory of 3768	1644	Digkijmd.exe	101
PID 3768 wrote to memory of 3028	3768	Dhjkdg32.exe	102
PID 3768 wrote to memory of 3028	3768	Dhjkdg32.exe	102
PID 3768 wrote to memory of 3028	3768	Dhjkdg32.exe	102
PID 3028 wrote to memory of 3284	3028	Dpacfd32.exe	103
PID 3028 wrote to memory of 3284	3028	Dpacfd32.exe	103
PID 3028 wrote to memory of 3284	3028	Dpacfd32.exe	103
PID 3284 wrote to memory of 4236	3284	Dcopbp32.exe	105
PID 3284 wrote to memory of 4236	3284	Dcopbp32.exe	105
PID 3284 wrote to memory of 4236	3284	Dcopbp32.exe	105
PID 4236 wrote to memory of 1216	4236	Dpcpkc32.exe	107
PID 4236 wrote to memory of 1216	4236	Dpcpkc32.exe	107
PID 4236 wrote to memory of 1216	4236	Dpcpkc32.exe	107
PID 1216 wrote to memory of 3920	1216	Djlddi32.exe	108
PID 1216 wrote to memory of 3920	1216	Djlddi32.exe	108
PID 1216 wrote to memory of 3920	1216	Djlddi32.exe	108
PID 3920 wrote to memory of 3364	3920	Dhnepfpj.exe	109

C:\Users\Admin\AppData\Local\Temp\3a58bcd72903b4b10d0a284a33929cba.exe
"C:\Users\Admin\AppData\Local\Temp\3a58bcd72903b4b10d0a284a33929cba.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\SysWOW64\Clldogdc.exe
  C:\Windows\system32\Clldogdc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Windows\SysWOW64\Cojqkbdf.exe
    C:\Windows\system32\Cojqkbdf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\SysWOW64\Caimgncj.exe
      C:\Windows\system32\Caimgncj.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
      - C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3364
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        27⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        29⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        30⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        31⤵
        Executes dropped EXE
        
        PID:3304
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        35⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        37⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        38⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4940
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        40⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        44⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        45⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        49⤵
        Executes dropped EXE
        
        PID:8
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        57⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        58⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        59⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        62⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        66⤵
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3716
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4740
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        69⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        70⤵
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        72⤵
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        73⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        74⤵
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        75⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        76⤵
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4432
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        78⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1500
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4136
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        81⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        83⤵
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        84⤵
        
        PID:620
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        85⤵
        
        PID:636
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        86⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        88⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        89⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        92⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        93⤵
        
        PID:832
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        94⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        95⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        96⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        98⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5468
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        103⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        106⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        108⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        109⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        111⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        112⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        113⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        115⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        116⤵
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        119⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        120⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        122⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        123⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        125⤵
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5800
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        131⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        133⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        135⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5432
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        137⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5888
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        141⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        142⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        143⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        144⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        145⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        148⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        149⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        150⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        151⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        152⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        153⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        154⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        155⤵
        Modifies registry class
        
        PID:6196
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6316
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        159⤵
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6396
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        162⤵
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        163⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        165⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        166⤵
        Drops file in System32 directory
        
        PID:6652
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        167⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6736
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        169⤵
        Modifies registry class
        
        PID:6780
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6824
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        171⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6948
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6984
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        175⤵
        Drops file in System32 directory
        
        PID:7044
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        176⤵
        Drops file in System32 directory
        
        PID:7084
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        177⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        178⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        179⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6260
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        181⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        182⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        183⤵
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6600
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        186⤵
        Modifies registry class
        
        PID:6760
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        187⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        188⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        189⤵
        Drops file in System32 directory
        
        PID:6976
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        190⤵
        Modifies registry class
        
        PID:7060
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        191⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6324
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        193⤵
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6592
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6732
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        196⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        197⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        198⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        199⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        200⤵
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        201⤵
        Modifies registry class
        
        PID:6792
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        202⤵
        Modifies registry class
        
        PID:7004
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        203⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        204⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6300
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        207⤵
        Modifies registry class
        
        PID:6932
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        208⤵
        Modifies registry class
        
        PID:7180
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7224
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        210⤵
        Modifies registry class
        
        PID:7268
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        211⤵
        Drops file in System32 directory
        
        PID:7312
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        212⤵
        Drops file in System32 directory
        
        PID:7352
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7396
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        214⤵
        Drops file in System32 directory
        
        PID:7440
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        215⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        216⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        217⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        218⤵
        Modifies registry class
        
        PID:7600
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        219⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7648
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        220⤵
        Drops file in System32 directory
        
        PID:7688
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        221⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7728 -s 420
        222⤵
        Program crash
        
        PID:7820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7728 -ip 7728
1⤵
PID:7792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caimgncj.exe

Filesize
101KB

MD5
630157dee528e79d66ae4b5b42ddbbf8

SHA1
ab89fae578be1ee1c983dec3073995dc816f764f

SHA256
4d613a495c6e0a60f475f768a523a816f792ac1e8b461cedefdae8cf10c7b4ed

SHA512
91c798cf7edd43c9a05d0d96e3a5f069d2b8a1a6ee94588627f43b92958b6dd76916ef830b49335fdf3c1c39d702ec4384a6cbc43b64184ca45ab9e20987321e

Download Submit
C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
101KB

MD5
83fa4f223f5fb09bae098de6cada7597

SHA1
f8da1d0b164688ae5cc988b7deee044060fd1fb4

SHA256
91043733f30c0cd1caa86aac2165b499f4031ba8ac240ef5f75d15a42ff2cd03

SHA512
aa30b5fe703c8862cc0ceae581f3595e037cb4b6dbac1d39c69830c3ed4c5c350e4e3d65e172a566cd2fc2ab004bca1c71318722a76912cf2fbfb4df0ce947cb

Download Submit
C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
101KB

MD5
b8fc27543059dd03fd532cfa74d127f1

SHA1
7ff532fb96f8bf0421ef9fd86dc5816a22944344

SHA256
9627d1a0e72ab6cc576fc5de1c8ed466ae4db5216acda9909f9e15e1717c781e

SHA512
ccfa72d74bfeae33581bce9632830c54c3b90abb9b496ec12c995411503825ff6cbdf149ebd833bbea0b97e2470ac8091ae8b87199ed689aea364349f0947b7f

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
101KB

MD5
fb62cbc2333597bdfed500e50bb022de

SHA1
53c5d4b0bd15ab7ca3292898c8ebfe4b744c8c69

SHA256
e5248f50baf3ef236980e67ad82d6ffc34fdaabb8b46de3aa1db3a29cfb68063

SHA512
6183b91c2ecb362c73cafa2d71f01d9e35a3caee9fd3c480b1334867bcd0748db43c71472093ca200046a80de5a7a743eb564830a41b9c08c36885d5744b295b

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
101KB

MD5
d15d8987c4c0ccb9deb966c6d59d4ac7

SHA1
e87e82937c61f9643158edef9213702ec5b52063

SHA256
bb5a93607d4f9fa4007b4c26f28c27a3402b1c2bf20bc237ba04712f00cbdb1b

SHA512
eba6207e92555bffada0acc7799dbf783754cbcf9cd8cbba14eeb49750e22e24880f774aa197f5531e0ea16aa3ba19765d20debe79b7bfcee650e96f85e36666

Download Submit
C:\Windows\SysWOW64\Cekohk32.exe

Filesize
101KB

MD5
69c354d54df285d1da508fd5ebf966c9

SHA1
eb8192dfd205a5b2225d50eecad4e047f5d65490

SHA256
63722fb40117ecf9c4d6df2acb42c509dd3f83a1aebca00892c07079f572c6fd

SHA512
a381af0fecd6e268690aa096001c59cbc744aff9356d4a8a348ec30dfcf1ff3bb2f2e33f53296c1a97a546e4565aae19e698d109ce533be794e2781d6929243c

Download Submit
C:\Windows\SysWOW64\Cibank32.exe

Filesize
101KB

MD5
65f0e1896c3bb09ac797c6452ab6e0ce

SHA1
d25292120252e2bfff04b57e899871f7bdc0c9fc

SHA256
4bf47ef636aa347db514bfc9fc927a0bbc336960ffbd27a7ca10263bd35668dd

SHA512
46cc48763a63500c6a2eb2db8d897d2b4cb1676ac205141aca9d025968f112aaa359ec14cdd90480ed9dbbf73b7bff1c7b4130e1c3771a653e24f3e81372e8cb

Download Submit
C:\Windows\SysWOW64\Clldogdc.exe

Filesize
101KB

MD5
0de1cf7a7558cc70055b071abd37bca2

SHA1
a011de144ed046656733e52d12bdf905a5c05b50

SHA256
cbb9f8d40d39a6ed5cda4f91b8bf13497be9c71974bebff7faaee086c9176bcd

SHA512
cb721e9ca3b792f440f7d15c0de728b789b558b2502d401b9969eebb6138a898d4944fef4aa6d882530e1baae3e5eed7a4af4771788aa21b2ffd106ddc5e6c0f

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
101KB

MD5
571b24cbb12bb7eaa89b1a1532960d3c

SHA1
e84200628ce053a69392fddfdcccd5c482280ec4

SHA256
2cbff393be874e6ff980bff766471716ae9ac4459a3b02b1073aa72295ce3fd4

SHA512
3d63c7b386580a5288b019d41769f3b6a4bed1e31cf8a2172c6e8cf2e98e576187d47d173e89351b7efb5f9b6f4983e6d6e67d65139526dd1d575fc6dde62eb6

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
101KB

MD5
35456d0d465a48f25976e302351bc9fe

SHA1
546c333a695efc9d86a2c804df6541b184e55192

SHA256
bf928b90306379e7665f76fdd63e34d4ecc29d09eb8fc2fba54d897b2cc3fc0f

SHA512
8bc4dd0a6f6337532211fd70c72c32389cc2ff74cb0d9a23356c055df1b0a6d3015c347e875a93c933efe025b48e5920ac4da03c8874cc30f6d757aeac6d7e79

Download Submit
C:\Windows\SysWOW64\Cojqkbdf.exe

Filesize
101KB

MD5
466514625c765cd127b6960a9548740c

SHA1
86ae5ecb1a61e45776cc8275c2d5f7cd93b5b6c2

SHA256
ecf03d01e05b68a5b46179d720edfa9d16353e7cea631c125b551331ff1aebf0

SHA512
61ff4a8bb077f0febc6b74a794bf19ab101a56e2147349a47830180b813af64dc7f4580aaacb41cedf5b6f6b2fe5db6baf25db7c5a4ad2a97090e9f13397bc2c

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
101KB

MD5
aab920ade2c0e7c9762a31a9364939e0

SHA1
33556cff2fc5d78c0af303a3b48fb2a88499c599

SHA256
9d8927665108e137c6af7917d79f1cca452588ec1708753911728d2e1d8018cf

SHA512
a17f4099c7156421b1411591c25bf73989e79ad29975598ba826d4980b979652f6899ec3a420ae9ffae49bb99acb7ce889203effb72644d0cebc45ae9cb4b7cb

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
101KB

MD5
9eb6994946c37af07b0ee21758b97f58

SHA1
ab332f2e333ab8b2bcc723a45bd4f2b331ed3d0b

SHA256
5e598442e84702d971251decd5d2f4998989ea4796bcb639159c82afa46a626f

SHA512
0a97956df1b127c24e2ce8fc14250d324b9abe947cd9f3761c2af057347d13c5049772a407471d362da3f3290801e2d9a88e4b6dc00e11d9f1b3766ac4a0e5d7

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
101KB

MD5
950ed9ab184ae221e43545dbd7985bff

SHA1
b16c1e85f05b416e3db7001b11c6f8ede222adf2

SHA256
25cc52e97cf24b75b04b8780330ae19ca8cf36ed1b811efbddde938108ceab45

SHA512
3b8814dbd90bcb8e2867dbb7286a63a27bc6ef35f6c05ca870a6611220ce155402044bd503f520605c1992d9ef650ae8b08161fc7189ff2c7869448f45558a7d

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
101KB

MD5
577c695b01995b68c770e95f4c988ffe

SHA1
876dc0fcce233a9745cee2d9b9208e40b4ab4ab1

SHA256
ddf2b849482d64158458c81a5fc0b24ba3de2e94abd38654f5ad28c07c49cbb6

SHA512
f723a59e9d104c2126113d9624055b8f41ca97e58a24f8baab49e1cf0e267c80414337656325a319dc769b8cdd04200c5fa61437fc5f14b1182cd650670e8f4c

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
101KB

MD5
dac74e50e3e57de096394a2f7ab20224

SHA1
3a65745f5c9f1fe017584c729e00aa016ee27406

SHA256
9298d200863ca75e2ef1cc9eb29034b0b8e15a39171aae2bf8541f9a0e45acef

SHA512
520b0a45dfd608f6ddf21134032c1274c4f70e6f558a8cc4c3c946a8885803b8720f590a02a03e75e7050af517dd5dd6c33d05950d25f6848e4d4590fdb24575

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
101KB

MD5
16ce41e6d979697bbee0c0af1914d7d6

SHA1
1042709fa1ce0e96d31f0aa6e26ab446c7503f99

SHA256
37505e25ccffba6fe6f59765bc73ab132d08453e2cb7ae4ccf9231983a96b390

SHA512
739f3c4de746b7667266a4d2652171b1de0241389666929c566e389c38d1a426b6f7e0a4738645f1d58ecd2b7c300014741d10cde6a826bdbc3504f24851ab75

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
101KB

MD5
84b87168530f7545ecc362acfb2f3415

SHA1
472a26f6c9d68cffe884be22058d6435175a7c4e

SHA256
ac5a1eb823ce6601563a57bf6b889e979a0090b5f8d8b739d7672d8dc5af2904

SHA512
3fb34010100607e5aef862485a8dbd639a4f6e5e227b76a4c357695acc1366c95f6bf5e49bf4178be0229c1c8c010a898f382350e634b3eab05722bbfd04f8f0

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
101KB

MD5
2450f2a5d1fc253f9e26c72152af7739

SHA1
ca2418c3b994d30f3e1e515ee6a1ebd7c6ba9576

SHA256
f625058d71514a910424262d9840918ba31ff0c0fefd778766bb0757f8ecce2a

SHA512
895c7e3ef56fd3a8cf3b1fcab2bf6cd92450eb9755efb4617a5ac8fcf76346360b55d431d0ca89b57ee78573f08c0397da70ab2e017ed671b9f8ac886d98c9d5

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
101KB

MD5
853dcc492e02cd4864be02fb954b67be

SHA1
62a61240c56cd237eae0a05bd1ae060f87279508

SHA256
4b1b158e79276fdda63ed39964981789cda61158678617c8e253c914f72b016a

SHA512
6a0543af6d408c39aa647981ec31bd12f2d34f497296d7c0d9cff054f07415ef8d65517e7b6ec4856bcdce12673fe043a9d395826a9523bdaeaabcf78abe8aee

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
101KB

MD5
ac7d6afccf1559526897659efded4603

SHA1
3a1494e0bfe1c6214a06a85a3795e3b74de99980

SHA256
dc4a8b1f4e80b72151642ef2e5104a77ac9d1746b2d14e789901a37b0f213748

SHA512
e42cee2469f6e95b4775d7cf761f53186fc14480583922c76de6363976c8a2d543c54ed341436ffdd58b75cf57ed1b8011ce0f6c79b6a673d22d39f7593e2ab7

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
101KB

MD5
406e7b60eaf60108c77c199c6e23a8d6

SHA1
04c3222b14e92cc72e805f1c18a6b939e97bdd40

SHA256
6c0be831c2b7ee2466a4d9f8380832459030d4fafdfe9387e33424f52918c873

SHA512
743240cf6ef08724b13e9b1499bc8e053ca9db5af45840db093b8c27da0f27333c25c5d6e579408c3c4968859188daf24fbf34bef6df260766122a23936b14e9

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
101KB

MD5
653a187dbd724520a882a9c26a6f4821

SHA1
b0d883fb4d4ea2102ea1a65acda06b17b6bd0595

SHA256
3c2a96e9f1cae042bff59eb5c23eabe052cbc36c081f22109670bf74697e4e68

SHA512
11f3480c8499cf2ff83e13ade30e1dac111749ec676fafcd663ded9b44cd5420779c8c5195d15feba107d92fcc3dc74f0ebf3c03b25169ac348fcc9880623511

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
101KB

MD5
fcb623b0d845ec66a43c417418b3d1bf

SHA1
db85d5019f4d582a571cc1f4f6f3892a6564219d

SHA256
651734287d149ebbc23182bedfbedb13fe2d5f1a63021bb22586695dcacb749b

SHA512
b8f6ab13cfe8085a2b7c6e54c63b148123a765bc6400786344774be42d074acd57624e49193c604c7fdfa141cd59b76f99cf9968c18bf965942a24fa190f4711

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
101KB

MD5
c9bd106df562351d98ac50c552e7784a

SHA1
d9a43a281bae34556ec0f052b7eabe9f91f4e1bf

SHA256
a4eadde721f930972712d89504188bdc7ea080b249298797b754937aadc1ca1f

SHA512
2e4365eab300fb9407db89a35a31591c49b916e6a1a74183e233a9e365b796a42e4fa17aa5434d298a6e04f010aa606cd83c4eb3c6fc6be4491d99e503d461ca

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
101KB

MD5
be934ac8293f86deedfa3e5651eb17eb

SHA1
63976efd987e73ce72d6aa8768981b8f4cc78c83

SHA256
a49770311303fdd7d9a76537671467b1ec2a66eee19fbfa3d742732fb9bf5992

SHA512
3a2f8b5fc6d9d051ee28ca843fd8bca84e4d2f3d24865193a9445d905dd6dcef5a87c000eb60d2c77fe95ed64b90823a085193e41e7e39cff93f537395764b61

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
101KB

MD5
5c98e5008046c7fc5a49f8a8e7dfa858

SHA1
cf1d2817068fce9be3c5110a224bc0e5775e7140

SHA256
223e0d1acc65d2989c62353944c38edf6f01aaa50a8e2e38d2db8dc5e63b51f5

SHA512
fb3a6350be6dddca3808c3b39119cd5f0ad388a889e6a989975b4fda34ebd81016f9950a767efe92b96237b41ad9feaa1e987a6fd1b99167cf955fdccc7dcb8d

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
101KB

MD5
cb5f68a2d5aec2b1a72f7b6b3dab78d4

SHA1
570cca6dde2a99216207bc93307c4876e85f69a7

SHA256
0999b17f9337dc13f83fe2eba986d692b4cf89570315c5b030d99333cab97659

SHA512
812676784b2e6549f2f00c9336d75ab2644727ca3e6c436439ce7eaa8e4d64a9819d41b6fd6201d1004beffafc2762e9e52976a7fde177efb5fa4a02959f3d24

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
101KB

MD5
5c8dd4a830245317929bfc6dcb4dfa80

SHA1
042e124ee6662ac42712e440ff69858bc0c473a7

SHA256
b7a62b4b5693e9f470900630f6604a524f284ac60137115c8fc678ae15ef1132

SHA512
9fba96fdbfbc2d435096f59f5420e2551e69f5ecb5fe37f35613404336998407c799b75e1705a872cdb634a4a46dc927ee88f7af12933854977277cfb5678acd

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
101KB

MD5
1a14abd8091794eae53cb8a81b9387bd

SHA1
c7bd0e5a3c38cd83805a8514133eda3e57c4b6d5

SHA256
3b1a49c75a95f811ae506b41aeaaa742b80a13b09294fc1051408d4db7f9db2d

SHA512
7c4b7be6c2f6f2e2a9a40787c211a19d0dc44618b90ab83f0e503fe4c0682b61286157a8b4b98e0a8bc4eee9f70bcb0081fe045a10499b20642b2e2dc9971235

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
101KB

MD5
99c70a995e1942e4a0d53b6d3936e567

SHA1
1d110a6867e9ba7fcb6865474b43667710ed2849

SHA256
ed5323460c51d08f4030996c3456ca73f7ba3fc73eb6621f153ed7e9bf15868f

SHA512
b19ae9dc203245a992c6b4dd02e76d910b5a4d819c0e22cd548dce55774c5fd41b422bd6c24aab029ad913f3e4cead6d54aa9ff656b25bbdca1dcf2916b0e820

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
101KB

MD5
a20265b311c7d0146ba4dfb91ab7925e

SHA1
1fef7f876c0781aff110610f3df085470ff128db

SHA256
84fe6c357fbca7c8a36347a88cf8db46503d87f161e8108a5179e71617441772

SHA512
865d3e486bee37b495d4b5fcb239e163e6812757eb7037056b75a3c0ccef45755cbd8954ad165d79865dcb02d016d0b293fd412d067885d8af1b601a94f4da65

Download Submit
C:\Windows\SysWOW64\Jilbbcha.dll

Filesize
7KB

MD5
ffc80c1d166e0cf5965d2c173047f0b5

SHA1
eaa79e450d96964a919e42bd25065ddc174ef5ff

SHA256
0d5fab8c40e9d96e7db349deb7e9e919975d638f207fe1ba256d484a6748018d

SHA512
4fdab819493c8157ab76165e6376afd36982af0d01ae22b5ba4eb3f9dfb9918c40f76644ccd7bad449574a9db4b7280529a1e8198324eab3bf6b87fc6c278554

Download Submit
memory/8-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/532-374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/684-423-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/768-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/908-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1028-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1076-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1152-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1156-416-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1172-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1216-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1220-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1248-284-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1428-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1572-380-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1640-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1644-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1860-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1912-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2044-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2064-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2188-126-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2424-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-322-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2728-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2900-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2936-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3028-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3128-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3136-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3220-213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3284-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3304-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3364-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3384-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3484-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3576-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3668-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3768-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3804-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3920-172-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3960-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4028-393-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4036-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4064-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4116-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4168-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4220-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4236-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4280-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4324-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4400-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4428-273-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4460-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4484-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4564-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4876-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4940-296-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4944-387-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4952-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4960-405-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4984-447-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5076-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads