00eea38a61f351a55a0311e9be5c21dc3ef6cd685649154febfbe7b1b498fb09

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00eea38a61f351a55a0311e9be5c21dc3ef6cd685649154febfbe7b1b498fb09.exe
Size

422KB
MD5

de4337722bf7f422082e70b0aa34cf13
SHA1

2d1a25727334e4ef7fe0d01745c4d9f713c1f53d
SHA256

00eea38a61f351a55a0311e9be5c21dc3ef6cd685649154febfbe7b1b498fb09
SHA512

d2e2efc295b41e02337d4c01f48768faa70b21c75fb084ac2d0f34e0ffb8c307deb11f3f2eabad90f77ddd0345cbf3a823dd14b3024347be72af81c74dc8c63c
SSDEEP

6144:8B0NpwCNbabO6FSPnvZU1AF+6FSPnvZhDYsKKo6FSPnvZU1AF+6FSPnvZq:m0NpwkGaXgA4XfczXgA4XA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpcpkc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Commqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clckpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpjflb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqciba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cidncj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehhgfdho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe

Executes dropped EXE 64 IoCs

pid	Process
2368	Cedihl32.exe
1444	Commqb32.exe
1688	Cibank32.exe
1884	Coojfa32.exe
5000	Cidncj32.exe
2960	Clckpf32.exe
4752	Ccmclp32.exe
4708	Digkijmd.exe
1692	Denlnk32.exe
4560	Dhlhjf32.exe
3664	Dpcpkc32.exe
1568	Dcalgo32.exe
1352	Dadlclim.exe
4324	Djlddi32.exe
1468	Dljqpd32.exe
412	Dcdimopp.exe
3580	Dagiil32.exe
4792	Debeijoc.exe
1736	Dhqaefng.exe
3724	Dllmfd32.exe
1316	Dphifcoi.exe
4084	Dcfebonm.exe
4564	Daifnk32.exe
3776	Dfdbojmq.exe
4924	Dhcnke32.exe
4372	Dpjflb32.exe
3084	Dchbhn32.exe
3064	Efgodj32.exe
2568	Ehekqe32.exe
3608	Epmcab32.exe
2072	Eoocmoao.exe
3100	Ebnoikqb.exe
324	Ejegjh32.exe
1972	Ehhgfdho.exe
936	Epopgbia.exe
1888	Ecmlcmhe.exe
2132	Ebploj32.exe
1148	Eqalmafo.exe
3312	Eodlho32.exe
3020	Efneehef.exe
1616	Ejjqeg32.exe
1020	Elhmablc.exe
4944	Eqciba32.exe
4988	Eofinnkf.exe
656	Ecbenm32.exe
3360	Ebeejijj.exe
5096	Ejlmkgkl.exe
1864	Ehonfc32.exe
4816	Eqfeha32.exe
468	Fjnjqfij.exe
3504	Fmmfmbhn.exe
2556	Fjqgff32.exe
2916	Fomonm32.exe
4380	Fbllkh32.exe
4436	Fmapha32.exe
3964	Fmclmabe.exe
1168	Fqohnp32.exe
4868	Fcnejk32.exe
3496	Fflaff32.exe
4544	Fqaeco32.exe
2896	Fodeolof.exe
4224	Gcpapkgp.exe
1276	Gfnnlffc.exe
1920	Gimjhafg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kbbfkb32.dll	Epmcab32.exe
File created	C:\Windows\SysWOW64\Cmddeh32.dll	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Hakfehok.dll	Fflaff32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Cedihl32.exe	00eea38a61f351a55a0311e9be5c21dc3ef6cd685649154febfbe7b1b498fb09.exe
File created	C:\Windows\SysWOW64\Ebeejijj.exe	Ecbenm32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Fkokhc32.dll	Dcfebonm.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Commqb32.exe	Cedihl32.exe
File created	C:\Windows\SysWOW64\Fbllkh32.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Hikfip32.exe	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Eoocmoao.exe	Epmcab32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Ddomph32.dll	Dhqaefng.exe
File opened for modification	C:\Windows\SysWOW64\Ecbenm32.exe	Eofinnkf.exe
File opened for modification	C:\Windows\SysWOW64\Fmmfmbhn.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Akkfba32.dll	Dpjflb32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ogaodjbe.dll	Fjnjqfij.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Impepm32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dadlclim.exe	Dcalgo32.exe
File created	C:\Windows\SysWOW64\Dphifcoi.exe	Dllmfd32.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Ehekqe32.exe	Efgodj32.exe
File created	C:\Windows\SysWOW64\Eofinnkf.exe	Eqciba32.exe
File opened for modification	C:\Windows\SysWOW64\Habnjm32.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Gqpmkibm.dll	Dhlhjf32.exe
File opened for modification	C:\Windows\SysWOW64\Dagiil32.exe	Dcdimopp.exe
File opened for modification	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Daifnk32.exe	Dcfebonm.exe
File created	C:\Windows\SysWOW64\Ejegjh32.exe	Ebnoikqb.exe
File opened for modification	C:\Windows\SysWOW64\Ecmlcmhe.exe	Epopgbia.exe
File created	C:\Windows\SysWOW64\Eqfeha32.exe	Ehonfc32.exe
File created	C:\Windows\SysWOW64\Fqaeco32.exe	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6908	6756	WerFault.exe	269

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopeje32.dll"	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omccgkde.dll"	Dagiil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dljqpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inolmdgj.dll"	Commqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdcekmm.dll"	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpmkibm.dll"	Dhlhjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcfebonm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcod32.dll"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dllmfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knceql32.dll"	Dllmfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll"	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcdimopp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	00eea38a61f351a55a0311e9be5c21dc3ef6cd685649154febfbe7b1b498fb09.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 2368	5064	00eea38a61f351a55a0311e9be5c21dc3ef6cd685649154febfbe7b1b498fb09.exe	85
PID 5064 wrote to memory of 2368	5064	00eea38a61f351a55a0311e9be5c21dc3ef6cd685649154febfbe7b1b498fb09.exe	85
PID 5064 wrote to memory of 2368	5064	00eea38a61f351a55a0311e9be5c21dc3ef6cd685649154febfbe7b1b498fb09.exe	85
PID 2368 wrote to memory of 1444	2368	Cedihl32.exe	86
PID 2368 wrote to memory of 1444	2368	Cedihl32.exe	86
PID 2368 wrote to memory of 1444	2368	Cedihl32.exe	86
PID 1444 wrote to memory of 1688	1444	Commqb32.exe	87
PID 1444 wrote to memory of 1688	1444	Commqb32.exe	87
PID 1444 wrote to memory of 1688	1444	Commqb32.exe	87
PID 1688 wrote to memory of 1884	1688	Cibank32.exe	88
PID 1688 wrote to memory of 1884	1688	Cibank32.exe	88
PID 1688 wrote to memory of 1884	1688	Cibank32.exe	88
PID 1884 wrote to memory of 5000	1884	Coojfa32.exe	89
PID 1884 wrote to memory of 5000	1884	Coojfa32.exe	89
PID 1884 wrote to memory of 5000	1884	Coojfa32.exe	89
PID 5000 wrote to memory of 2960	5000	Cidncj32.exe	90
PID 5000 wrote to memory of 2960	5000	Cidncj32.exe	90
PID 5000 wrote to memory of 2960	5000	Cidncj32.exe	90
PID 2960 wrote to memory of 4752	2960	Clckpf32.exe	91
PID 2960 wrote to memory of 4752	2960	Clckpf32.exe	91
PID 2960 wrote to memory of 4752	2960	Clckpf32.exe	91
PID 4752 wrote to memory of 4708	4752	Ccmclp32.exe	92
PID 4752 wrote to memory of 4708	4752	Ccmclp32.exe	92
PID 4752 wrote to memory of 4708	4752	Ccmclp32.exe	92
PID 4708 wrote to memory of 1692	4708	Digkijmd.exe	93
PID 4708 wrote to memory of 1692	4708	Digkijmd.exe	93
PID 4708 wrote to memory of 1692	4708	Digkijmd.exe	93
PID 1692 wrote to memory of 4560	1692	Denlnk32.exe	94
PID 1692 wrote to memory of 4560	1692	Denlnk32.exe	94
PID 1692 wrote to memory of 4560	1692	Denlnk32.exe	94
PID 4560 wrote to memory of 3664	4560	Dhlhjf32.exe	95
PID 4560 wrote to memory of 3664	4560	Dhlhjf32.exe	95
PID 4560 wrote to memory of 3664	4560	Dhlhjf32.exe	95
PID 3664 wrote to memory of 1568	3664	Dpcpkc32.exe	96
PID 3664 wrote to memory of 1568	3664	Dpcpkc32.exe	96
PID 3664 wrote to memory of 1568	3664	Dpcpkc32.exe	96
PID 1568 wrote to memory of 1352	1568	Dcalgo32.exe	97
PID 1568 wrote to memory of 1352	1568	Dcalgo32.exe	97
PID 1568 wrote to memory of 1352	1568	Dcalgo32.exe	97
PID 1352 wrote to memory of 4324	1352	Dadlclim.exe	98
PID 1352 wrote to memory of 4324	1352	Dadlclim.exe	98
PID 1352 wrote to memory of 4324	1352	Dadlclim.exe	98
PID 4324 wrote to memory of 1468	4324	Djlddi32.exe	99
PID 4324 wrote to memory of 1468	4324	Djlddi32.exe	99
PID 4324 wrote to memory of 1468	4324	Djlddi32.exe	99
PID 1468 wrote to memory of 412	1468	Dljqpd32.exe	100
PID 1468 wrote to memory of 412	1468	Dljqpd32.exe	100
PID 1468 wrote to memory of 412	1468	Dljqpd32.exe	100
PID 412 wrote to memory of 3580	412	Dcdimopp.exe	101
PID 412 wrote to memory of 3580	412	Dcdimopp.exe	101
PID 412 wrote to memory of 3580	412	Dcdimopp.exe	101
PID 3580 wrote to memory of 4792	3580	Dagiil32.exe	102
PID 3580 wrote to memory of 4792	3580	Dagiil32.exe	102
PID 3580 wrote to memory of 4792	3580	Dagiil32.exe	102
PID 4792 wrote to memory of 1736	4792	Debeijoc.exe	103
PID 4792 wrote to memory of 1736	4792	Debeijoc.exe	103
PID 4792 wrote to memory of 1736	4792	Debeijoc.exe	103
PID 1736 wrote to memory of 3724	1736	Dhqaefng.exe	104
PID 1736 wrote to memory of 3724	1736	Dhqaefng.exe	104
PID 1736 wrote to memory of 3724	1736	Dhqaefng.exe	104
PID 3724 wrote to memory of 1316	3724	Dllmfd32.exe	105
PID 3724 wrote to memory of 1316	3724	Dllmfd32.exe	105
PID 3724 wrote to memory of 1316	3724	Dllmfd32.exe	105
PID 1316 wrote to memory of 4084	1316	Dphifcoi.exe	106

C:\Users\Admin\AppData\Local\Temp\00eea38a61f351a55a0311e9be5c21dc3ef6cd685649154febfbe7b1b498fb09.exe
"C:\Users\Admin\AppData\Local\Temp\00eea38a61f351a55a0311e9be5c21dc3ef6cd685649154febfbe7b1b498fb09.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\SysWOW64\Cedihl32.exe
  C:\Windows\system32\Cedihl32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\Commqb32.exe
    C:\Windows\system32\Commqb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\Cibank32.exe
      C:\Windows\system32\Cibank32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1884
      - C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        24⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        25⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        26⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        30⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:324
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        38⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        40⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        41⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        43⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        44⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:656
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3360
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        49⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        53⤵
        Executes dropped EXE
        
        PID:3504
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2556
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4380
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        59⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        64⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1276
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        67⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2252
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2776
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        71⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        72⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        73⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        74⤵
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        75⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2532
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        77⤵
        Drops file in System32 directory
        
        PID:5088
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        81⤵
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        82⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        83⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        84⤵
        
        PID:972
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3000
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        87⤵
        Drops file in System32 directory
        
        PID:4728
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        88⤵
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        89⤵
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        90⤵
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        91⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        92⤵
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        93⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        94⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4392
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        96⤵
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        99⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        100⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4844
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:440
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        104⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3508
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        106⤵
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        107⤵
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        108⤵
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        109⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        110⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        111⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        113⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        115⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        116⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        117⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5488
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        120⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        121⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        123⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        124⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        125⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        126⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        127⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        129⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        130⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        134⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        135⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        137⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        138⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        139⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        141⤵
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5696
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        144⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        145⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        147⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        148⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        150⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        151⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        153⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        154⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        155⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        156⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        157⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        159⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        161⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        163⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6020
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        169⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6276
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        173⤵
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6384
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        175⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        176⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        177⤵
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6568
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        179⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        180⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        181⤵
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        182⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6756 -s 404
        183⤵
        Program crash
        
        PID:6908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 6756 -ip 6756
1⤵
PID:6868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
422KB

MD5
bca7c0bfe2b158849791c798883a2214

SHA1
9e1aa2e3b1f628a26d03a9955669a48fdeab45fa

SHA256
344b63d4ccc7b34b08b699d0d09e609382351ae0cc2c21c99e32690b1658db4d

SHA512
a1383af0daecc303b5a891a3cb94e4a7f5de1519e5732bba0177ab75dfae2093bd213df88b4e7f35ece34462ff9b6cd491986248d7b7858b669ec47196e464c6

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
422KB

MD5
8acdb97a0d9ac72e5a9afb9378953b43

SHA1
318da6d022eb7e7058ab892f4cca776b1fc6932e

SHA256
54b7e4a0acba3333b41b062c196b087b970995712cc1fbd6cf9d95ff6e860db0

SHA512
0353b73fc1fe197f97ea56573d809319a67745a3a7226c2895b78132b274c38fd45f903d27cfe4aa6221581eef263aaa000949b828e0084dc77c05ac2504818f

Download Submit
C:\Windows\SysWOW64\Cibank32.exe

Filesize
422KB

MD5
27b94f97c4489e422cfa5f9b4c67cc98

SHA1
00a20eb6b6502727cd2bbcbb3e6ceeb6fd6fc834

SHA256
ef34bc7bf9dce3131e3d2355a94ce43f658c01c877940649a6247e4b1b0459a0

SHA512
3971218d02ef609ab47d8bf3057fed3a8e2729a5a5d4c88acd5416d517df5d5edc49663261891131d594382cf6819a66eda6c0e039e11eff40f067b230ac48a0

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
422KB

MD5
ef87f7ceb9ff0036abef7c1cc575ccb9

SHA1
c51c59b0c76309ccd6b86d6dc5d45821a22b5547

SHA256
dd38ce203ab988cd97bae3db6df360b82fc59db3981fbce626e10401d74da643

SHA512
023e6bb0d1a2152af7051584296aa6dae7ab8805a61c60f1c0fa8dd92672f4ee3e55985eae02252ffbe89c586d9b6976abe6ba835e34f22995cad44b3c8ec1c5

Download Submit
C:\Windows\SysWOW64\Clckpf32.exe

Filesize
422KB

MD5
ac5bc246e51604e75f9526949351dd8b

SHA1
686c69e8e63b579cea9e8aad590aea8e79a64f20

SHA256
f83758e2ff299403868d258261275d1b1405c11938706a0acea9995e8b0f0a40

SHA512
9b9520a0902ccbbe32c5f95b2055a444adff7fafc8c5864b9590ea47542476bfe50e131caf65a0df19818f15124063172478a5556e63805eb0f26629ee6d0a25

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
422KB

MD5
195dd45de24ed278539cbc039f56ac59

SHA1
d7390fa45f612c2713e2359733d1075be69e82bd

SHA256
bd3e7f58029df280e6a959d11581a6765902cdcf9aefed8908cd2ddc386b28b5

SHA512
686201eecea540444d7ba189cf08c0c23aca62d4419615a3722297e9a141efa504a9f8d11ebbe5903a761e5b830007c9f7b38ca6b967d0db5317c8676b8b8cf8

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
422KB

MD5
cd32d07f7e5777fd0189e7ab1d78f562

SHA1
b0049b9795603fc06213e9f6a44e759edccb4315

SHA256
3603c0071598868c24b06995753039491d978fa5bb1cdb80cd369d90df1d1fca

SHA512
4ac7ef606c55db51dd54cef9b8b18472e12fe014bde754107e61f10a3c44aafff98f1bc018b4e8fadf6315f589bc2cc7d9e1b654d50629628f94f0d17eba6143

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe

Filesize
422KB

MD5
cf225b547493a7841233cab283b92f05

SHA1
c50d5c62dc80f41f374309a8732c9786dc52273d

SHA256
85b0f492a4835a1d4defec948fe677e6d87001be1a6de4fe45a63196716f96d9

SHA512
d469d7b46e41da0b441d6a8dd1032528fa89f03f801cbec78df4cc28725d9ec9f4ac530b3688e7b8ac77af7734cd5b3f21d8ec68f3d961b78bb14b1eac32a133

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
422KB

MD5
9d6d9d69b6049bc5cf9ac21b490e0fa5

SHA1
a1fbef42f9132bae01482c995f81ac2ba28bb4ad

SHA256
fea94330b1ff243fba80ae1591b2ea6da835bc0e556fa4218997831739e4c20e

SHA512
5d218d1fad89837c3844568190024f55f3871dd8607b35b49f1ca937d59ce1d79737c5b5daf8764f075b2c951ea341aba410e31569eb17a2086a8db8dc6e321e

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
422KB

MD5
fb989f408901287b1f53019e8af08a79

SHA1
21d0e88abee19e803d1fd3c729e6017459e9683d

SHA256
fd30574b97e3342361fbfecc19b2f6daea0f73447b3960421f82899f5af7ff0e

SHA512
7d3196b56b68081a996b37964d1f6e03391ef7331976c1f0fd35f2a1414a7ae252a4c8b0eca64f8b0b87baab75be7ee27367379808e847e822e0c7b8b96919c5

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
422KB

MD5
8fa7654ae5e89c8ce5d65c6485699909

SHA1
d04c619f9850a7118c9ec80ba7105bb84d723785

SHA256
f386e790ece1d640f0b0d23c9979f4d4089d22e481144cd50dfbd4d56ea07ccf

SHA512
ee0eec8e323bee0e28b59f4d75ab2ba38d356dcf8e6618d257aba472a99671629de75b65d8fa6593a22f8e36c222ec634adee67dc9a81fe7485868fdbd26ff6a

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
422KB

MD5
47b2c08ff1f4cec4005cbf538649fdae

SHA1
3a6957b4fbc4bfb749c09b272e154ecbbfee5675

SHA256
6bd2ac6d5a00d0e3d2acebd3648549bc24d9ea26ef8e440d0ecfbfb212081b97

SHA512
3a165c94035b8037ff689caed1db6ac9460a1f4d7f828aa8bce636f493528fdfe0ba9e5def5034426014153304aacbfdc02e58b6e0cd976f883049bfac74f204

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
422KB

MD5
ef77f6496e72d9d2fb88c662d68ce665

SHA1
33eae4c5d39ce571d6c06e0ecab896071ca17e0d

SHA256
8716d339b184c3784a02ff666755f5360f051c20fcedf3185ca616e2532a9974

SHA512
870d878b388f89274e0dcec65430017560902349a3b5d0fc8de6f8a8258e5ff6f66d46caa59e63143df66f0dda4b784f53785ea928a94af42cb8f4fa6a662b7a

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
422KB

MD5
d69bf5e1bc67b6f11a76ae130913252d

SHA1
bbc9387efa839fb43474e60a931adef08a852b00

SHA256
d693c9acaaae28ceaa57774e507c62392dfd0fe911c329de83efa85c5977f4ae

SHA512
407fbf6fcdfde46da26c2a49052b0b8ab379c802c0275113dab2fd276157485cac598b43294f565a73d8c2bd0d8e9ee2e8b9869756c678e4c3f1a728e03a9914

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
422KB

MD5
fd459527ca68c3de93250af9530c20f6

SHA1
2d275715df244a7fe86e9a7b2317fa08f1fb9b2a

SHA256
91cdead5f709d8c961970990dfb5b181a268e2f8c3ccd30fd47d188ff407b89f

SHA512
365afa513eb0d503fe1fda767598e0911600dc4e3f672f85faccbb35cd670bda92f6045f50558d62c7d2bf6aa5ee7f659c9d79cf1d25b58fc9248b0f43b3df51

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
422KB

MD5
81a753628a7a012aedcd14b306afe471

SHA1
06c6a56462b7cd4301117a3ed413bcdd17a9e227

SHA256
942468e31e3aad0a89b1d7c2688fa5894ccb6bc0f608ac8295d55ff6d85628c6

SHA512
d71260e4d7018534b89d86bb0181c7e4729314cc6d270cc23ba6e5dd268c293829ac3e3fa0073553cf8de5ac2aa236b39e95bfc732e02f6be1dc8ddabc676254

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
422KB

MD5
a28fc63d1c9057522a6b719cceb7ee13

SHA1
5cf2a65ec08a8faac5f5be20d337afbde8706f7d

SHA256
b1cdb9804a69c70d29f24239950476d1ad02d64a2db97d0b31b2bc9e33ba41c4

SHA512
bc5b6451516db625b6ff98e546a4188321296f3bdce91fe9ea9e10b0bafcd0d810243d744e146832b7830e552f198d956ed9f64a41c5a60741526737ab8fe209

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
422KB

MD5
a5d99a72db14005d2a14ca34b2955994

SHA1
81943c07948f128d891dce93dd842f9787fe3196

SHA256
e16bb66fbc140b5c4a435623159918d03dd1a13f8a578ccdfb0c60ca0c2e9b20

SHA512
4351ff193364788fd66b9cba0c243c1218f4267ae70299a5cbd8fdd329f93d4cdbcc2689030bba2dd10ef458542910051fdd4b39e6270dd1ad95169ff5ed4df6

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
422KB

MD5
60b05710459f36e22a7ce2db0ce7a771

SHA1
cbf1e9178e03a8afc358298e29b4c2516a5b397d

SHA256
d49aaa0d9727e6b6525ab2234705e1fdf873428d40f378ee295626e90416d05d

SHA512
5157207417fff95f8436b5f9e70165483f5d57ffdf1d9855522eca8f649765287ec6c6079bfca22a490afef21cf64ade557c8dd44d347c69f2d59ef10e12bc27

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
422KB

MD5
3b0082cb2c858d2618e93243b1410054

SHA1
c6cf5284591baeb5c6ca228a5a83fde167d8e82f

SHA256
31dd687c608473e6681290b0befd13a9d4732b7e78a5094dd0158d6bbdf64e43

SHA512
a802ca4f5c6bb82cc3562415efcc2347d69993f416df85c5309ade8482d7277ab81527cb7407bf524fa3f3a9e708e01e6cc645c87c3317e51f66d87761aa725f

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
422KB

MD5
65979adca0640fdee6dcf5abb8fe6d00

SHA1
163813bf141e55c656aa216db1fe5f445ccdb36e

SHA256
6208b875477da48375ee354bc486eb44990354968a3c4020e9ef1cca976bf0c5

SHA512
68bae6c4961d1a6b17a91f6583c603e8a7dbca77634e4c1e15b768d65c99559ab5d7d68b428750d7c12d8d9b8c0f6df98d5d204d578acad203998eb0dcc11c58

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
422KB

MD5
d30a8724b233bf57037945673c18b002

SHA1
c392e0bfffb5cbcd01bff9364db64234d2e42a5b

SHA256
87bca94b69a8bf11828647e93570bcf380692928a061e2d1256727814394af08

SHA512
b2126e367e6b2347baf5b0436f010496207f3b0a25a6996512870031bce7121aa1643a7ac347c4a6eb34f3e669beb06db0406a9f1638fc209fde9e4ebd8b5fcf

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
422KB

MD5
16ba1a9ed75f06c5b7e4fd4ec5096765

SHA1
9bbe80b384baba9b2afa064a356a1cac7b7386a3

SHA256
c6ba1f37dd072a9bf4c450a4aea91bc7a2510fa0eb979fb90d52b7c20d81c02c

SHA512
c426523da8eeae4c63d7703ec4e18d775cb3228c26a256b02095c48083bd5543f8caeb24468c7c4414bd7171416487bd6fd3bfe8a09d58f8bb10a017e39b53a4

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
422KB

MD5
85f4c9ccabc02b8e633f8e6d70a78074

SHA1
495358e677fe262da6d42d606aa90dcea8b4f6b9

SHA256
7b4de7e72e113645920df54d62730dc607029df0c54908ab14edc01e2b4ff448

SHA512
28546a9b129fb813eaa9d1d9e7c9614a9455747989c416a8cec0acc36c7079a0d3a0146a7bac92bc9544ede1b588873fe791f35d51c92bfb458554b16b7d4c17

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
422KB

MD5
00c8f3a32a8da263e38bbc9da98c6764

SHA1
983e03281ebef69a54f631d0d290c410fc156102

SHA256
b82be9d0bd13aa89195ca07a52e8b38ff59a038f099eaa4ae2fb403449c0e3d9

SHA512
667a2d5f35fbe1ab5977aca07e21d2298d9219ae7110229e61764570891fca53be58f6f33fc831e90483907f9407ba7b97ee16b96b5e5af4023b3af4c2828739

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
422KB

MD5
1c441fb47ec17b2c0b06afe77fc66e6b

SHA1
70bf210b3eb4502f89b2ae0c1a796c4dbfdbbdd5

SHA256
a16e88ee4cbf6d9ec3cd8ad0786f90438e55e676de44871a493e7edd544e4a4b

SHA512
f96fd48b3426a1ba129e6355eeffd1acdc3f7a8cf283531028444c494ca911e00248e7f4a849b03e7ad80586f070c0af8e5ff299fb2c0127e32bc2279b827fc8

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
422KB

MD5
1ef826639ce109d6affd286879abc697

SHA1
5213623cc580aa8edaed2d519565ca898cb24902

SHA256
23df467e958f0f0429aea0b7a30507d12bac4c948b95dfc66aebcf35dbd588ca

SHA512
34a6252f5c4f2d12eef93701b95d23f01a7f7f283bde091a43d50b7a60f240bcb1728e1c5e2490af3166651ec800be17f1957f713353a57d0a194960b853d0d7

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
422KB

MD5
6b1233d51506d7f90306c10b6314766b

SHA1
79d760e4b5b2d390c646dee70ff591194ba371a6

SHA256
b15759e7a40328b4a74db0e9ba07a669c872ddbf71935de0b14cb989ebf20b9a

SHA512
6e3770589ba23dcd12a25d24121358e50b3f5eadce57e6bc787605a1af131fadd835a6c90fbde3ab0c03ef995df41b6f08b7d06195ab4be070c60ea800a91c90

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
422KB

MD5
92db87f06f86fd52730e21846880353d

SHA1
378d1a5ad53beaaf8083c8c5b62d38781d2a7cd1

SHA256
ac0f48e25074793d5f731f0f81e91459c56d6369d763582b010a44a192fddc06

SHA512
7b0226751b521e4d92780a1672a9937abe1afda1cd14301d9343c2b1aae9f391c7c6f8b81fe1a623c0629f49ec5d2e55dbf7365c7915710a9c5efc367e07017a

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
422KB

MD5
8aaeede6eca7cb42b30bf0b6658a4c94

SHA1
8a2df9dbc55b4ae28bced09df2a1937f44d18070

SHA256
3c20ba1fc9a5233d890529dce2f6b49af6e9522f708fbffd29390017c8db34ff

SHA512
b896e7a187af491da6eac9d07388e4b93acd0a52b1ce198d76c23dc38ea7f1d8d752ded6db11e52bc68b7906481731402d1574dbf831f67af9075c7e2eb04007

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
422KB

MD5
409b82b8c3172bf2a9449d9f31e8515d

SHA1
498204d01062743352a8aec66b84b8430a61714b

SHA256
7118bcebddca3dafb573849c5a9c67dd82170e816b0279c95108760cec3af075

SHA512
2395c8e868c551f19dff75c9ac18ece74d5b039acbf1362652f56c0466eac71c5e8eb8acfcac8e6ee48b5a887c4d3ed282f2c2d4a335b55250713ef7b699cdfa

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
422KB

MD5
e2aa17bbbd7f57d11b8b19580d05919f

SHA1
9ff1d1403dcaade633499e17f5d1dbf634e6f587

SHA256
0a4dabac4418cd94fe9ba46c1be1eeb6c95da34a69c9d09e7b94489500b4e55f

SHA512
a16fa0b021e073d839e2fac2e7d6371c3eccbcec02a3ac4202c29919de78937e0e417e0fe9e5bcf49c4543cd184bf1da2e7596013f5578298ad5e6e70c4589a6

Download Submit
C:\Windows\SysWOW64\Hcedaheh.exe

Filesize
422KB

MD5
0263d0767882b94254883ae6ed78cc42

SHA1
26ca8ed92e95d6d8b45e99f370262c6338e66a11

SHA256
db583c9af1ebaa3a243e1fc19cb19954687c3615577cde30b877d9e86bc6b1a7

SHA512
0eff0f9273c6ad65b736ed22ed48a9dfe53845fe3a4e393e313c77c601c77ea0d630e7555846e7bba6e5d97b79b43c33acded0bfc86a76ac815de68e5638e1b4

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
422KB

MD5
22db3dee667f5e79e8929eafba8056c0

SHA1
d5870e04445ddc0590fe3947a531187cbcc19cd1

SHA256
3f60764f785fc7ada457201ab78a2f8f19aadbb80f55bdb9ba6b72e88a5f0c8d

SHA512
da947da1d2f439c70ced6a92b87db41e2afb0d9ceb7e36bf663711ae9353a47050dfbf887bad8cf16347616e22e97c206d3c4e6232b1c31faed47d8c3735a022

Download Submit
C:\Windows\SysWOW64\Impepm32.exe

Filesize
422KB

MD5
c457c40a75053e7e887ef9053c394613

SHA1
e77da39885969b4528693a5e76f72119fc923613

SHA256
d811bc6eaaf816700c528f5846f888f3e0d2f5f2faad7c74f2eca1c8bcbb8cca

SHA512
09e9cd73ce476b7b2b201648ca6e90312dad8849e412801fb960d7e22f710e3f1b4feb2f6b44ede80b5529a4f5e53dbe72e9503accccc268c66fb674bc6739d5

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
320KB

MD5
3e79395f3be2481a65da362c15259896

SHA1
f9e7fd8d02362a6740f43b9bb2a1b68e24f99293

SHA256
9f047cbcc5124a916e40133bdf99a42ab992f76436fdbb052ea8a095c7291fb4

SHA512
6f08fc47650021f57a55274e9ca0844e7c08733ed700b2502e49b03f87a4f29dd0cd8672f250d8b9722607a430edc163e839863c672938904aac39d66f87769d

Download Submit
C:\Windows\SysWOW64\Jmbklj32.exe

Filesize
422KB

MD5
8076ae7b1701d4bc6835aa2a4ac3cf82

SHA1
49b282018abb5762477c41e4b3849e9c426c0033

SHA256
3dac86029fa1d67b694a3e8371a083e174cfeb60e87e19966ede35f91fb33c0b

SHA512
8d3b4088cd058e2e4dd68e6e2a5ec93b8139ebab7edf3172887557e4c2339e2fc2e869453158ce5897f7e3dc7cbc47249f8e280c34a760b2114eb08fa2cc9a7c

Download Submit
C:\Windows\SysWOW64\Jpgdbg32.exe

Filesize
422KB

MD5
2f3b954b8c3aa7e0dae99c1069281bfe

SHA1
f51132447abc84004c7a075b2497d67d1fea8ccd

SHA256
18e72ef1be073cb459b7c35f5e8481875eb20f80a6e62dd4b881209c5d17961d

SHA512
d74f24d0fb326be3fee546b8bddefafe058e138f75638577637aa6afa4a016a0d1ebd2e7e2b023325b6764519241b4754d69ddfd1a9bdb67f64c61d4aa9419cb

Download Submit
memory/324-350-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/412-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/864-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/972-534-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1020-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1068-504-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1168-387-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1352-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1444-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1468-366-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1568-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1612-540-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1688-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1692-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1736-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1776-510-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1808-522-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1884-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1892-480-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1920-427-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2008-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2012-529-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2072-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2368-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2532-486-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2556-374-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2568-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-449-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2960-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3000-546-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3084-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3360-360-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-516-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3496-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3504-373-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3580-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3664-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3724-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-456-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4224-421-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4324-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4380-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4436-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4496-498-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4560-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4708-63-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4728-552-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4752-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4792-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4816-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4824-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4868-397-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4924-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4944-357-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4952-474-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4972-468-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4988-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5000-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5064-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5088-492-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads