d04121453c66949e4fa2549823620763ba9ac2cc71cfc24dd96b5c977df5df0e

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d04121453c66949e4fa2549823620763ba9ac2cc71cfc24dd96b5c977df5df0e.exe
Size

224KB
MD5

016635a2ca089b49e57f34d948751c14
SHA1

826e69a2129aaac922793e6617954c17b7080d4d
SHA256

d04121453c66949e4fa2549823620763ba9ac2cc71cfc24dd96b5c977df5df0e
SHA512

0fdd96bd03e9b945a5c839131d3f556a54bc5e055c225d2707e06d402688d9b76209463c040d9a4f0f7bcb03369db77595f1541b82f328b66f8e7b8ef7632341
SSDEEP

6144:qbiOsoXbbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQcv:CbWGRdA6sQhPbWGRdA6sQc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cedihl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chgoogfa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dadlclim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dadlclim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epmcab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dljqpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cedihl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceibclgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdbojmq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe

Executes dropped EXE 64 IoCs

pid	Process
3036	Cedihl32.exe
816	Clnadfbp.exe
4992	Cakjmm32.exe
2164	Cibank32.exe
1640	Cpljkdig.exe
3092	Ccjfgphj.exe
3464	Ceibclgn.exe
4764	Chgoogfa.exe
3904	Ccmclp32.exe
2504	Cekohk32.exe
2184	Digkijmd.exe
3728	Doccaall.exe
2312	Dabpnlkp.exe
5008	Diihojkb.exe
3944	Dhlhjf32.exe
1764	Dofpgqji.exe
3604	Dadlclim.exe
4796	Dephckaf.exe
4632	Djlddi32.exe
4028	Dljqpd32.exe
964	Dcdimopp.exe
4828	Debeijoc.exe
1480	Dhqaefng.exe
2948	Dllmfd32.exe
3936	Dphifcoi.exe
1120	Dokjbp32.exe
3708	Dcfebonm.exe
1896	Daifnk32.exe
2684	Dfdbojmq.exe
1376	Djpnohej.exe
4936	Dhcnke32.exe
624	Dlojkddn.exe
4436	Dpjflb32.exe
3432	Domfgpca.exe
4396	Dchbhn32.exe
1584	Dakbckbe.exe
2240	Efgodj32.exe
1372	Ejbkehcg.exe
992	Elagacbk.exe
812	Epmcab32.exe
1056	Eoocmoao.exe
3956	Eckonn32.exe
1784	Elccfc32.exe
5088	Ecmlcmhe.exe
4000	Eflhoigi.exe
1384	Ejgdpg32.exe
1248	Eodlho32.exe
3392	Ejjqeg32.exe
4984	Eofinnkf.exe
4296	Ebeejijj.exe
4124	Fbgbpihg.exe
4776	Fjnjqfij.exe
2528	Fbioei32.exe
4648	Fjqgff32.exe
4696	Fcikolnh.exe
772	Fqmlhpla.exe
4364	Fckhdk32.exe
4588	Fjepaecb.exe
3308	Fmclmabe.exe
4624	Fobiilai.exe
736	Fijmbb32.exe
3120	Fqaeco32.exe
3380	Gcpapkgp.exe
2848	Gimjhafg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Daifnk32.exe	Dcfebonm.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Gibgla32.dll	Cekohk32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Fbioei32.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Cekohk32.exe	Ccmclp32.exe
File opened for modification	C:\Windows\SysWOW64\Dcfebonm.exe	Dokjbp32.exe
File created	C:\Windows\SysWOW64\Ojigmkeg.dll	Dhcnke32.exe
File created	C:\Windows\SysWOW64\Npgpaojg.dll	Dlojkddn.exe
File opened for modification	C:\Windows\SysWOW64\Djlddi32.exe	Dephckaf.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Epmcab32.exe	Elagacbk.exe
File created	C:\Windows\SysWOW64\Fbgbpihg.exe	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Bppheeep.dll	Ebeejijj.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Fllceb32.dll	Djlddi32.exe
File created	C:\Windows\SysWOW64\Epmcab32.exe	Elagacbk.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Cedihl32.exe	d04121453c66949e4fa2549823620763ba9ac2cc71cfc24dd96b5c977df5df0e.exe
File created	C:\Windows\SysWOW64\Nmljla32.dll	Ccjfgphj.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Fjnjqfij.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Ccjfgphj.exe	Cpljkdig.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jingckla.dll	Cpljkdig.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Ceibclgn.exe	Ccjfgphj.exe
File opened for modification	C:\Windows\SysWOW64\Dabpnlkp.exe	Doccaall.exe
File opened for modification	C:\Windows\SysWOW64\Fbioei32.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Ggmlbfpm.dll	Dchbhn32.exe
File opened for modification	C:\Windows\SysWOW64\Eofinnkf.exe	Ejjqeg32.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fobiilai.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6856	6756	WerFault.exe	279

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjdddho.dll"	Dfdbojmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cedihl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odhibo32.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfdbojmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifpphha.dll"	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Digkijmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacdmi32.dll"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhollf32.dll"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbfkb32.dll"	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjfgphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiagblgj.dll"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Debeijoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkdqfii.dll"	Doccaall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmlbfpm.dll"	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dadlclim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkokhc32.dll"	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3036	3076	d04121453c66949e4fa2549823620763ba9ac2cc71cfc24dd96b5c977df5df0e.exe	86
PID 3076 wrote to memory of 3036	3076	d04121453c66949e4fa2549823620763ba9ac2cc71cfc24dd96b5c977df5df0e.exe	86
PID 3076 wrote to memory of 3036	3076	d04121453c66949e4fa2549823620763ba9ac2cc71cfc24dd96b5c977df5df0e.exe	86
PID 3036 wrote to memory of 816	3036	Cedihl32.exe	87
PID 3036 wrote to memory of 816	3036	Cedihl32.exe	87
PID 3036 wrote to memory of 816	3036	Cedihl32.exe	87
PID 816 wrote to memory of 4992	816	Clnadfbp.exe	88
PID 816 wrote to memory of 4992	816	Clnadfbp.exe	88
PID 816 wrote to memory of 4992	816	Clnadfbp.exe	88
PID 4992 wrote to memory of 2164	4992	Cakjmm32.exe	89
PID 4992 wrote to memory of 2164	4992	Cakjmm32.exe	89
PID 4992 wrote to memory of 2164	4992	Cakjmm32.exe	89
PID 2164 wrote to memory of 1640	2164	Cibank32.exe	90
PID 2164 wrote to memory of 1640	2164	Cibank32.exe	90
PID 2164 wrote to memory of 1640	2164	Cibank32.exe	90
PID 1640 wrote to memory of 3092	1640	Cpljkdig.exe	91
PID 1640 wrote to memory of 3092	1640	Cpljkdig.exe	91
PID 1640 wrote to memory of 3092	1640	Cpljkdig.exe	91
PID 3092 wrote to memory of 3464	3092	Ccjfgphj.exe	92
PID 3092 wrote to memory of 3464	3092	Ccjfgphj.exe	92
PID 3092 wrote to memory of 3464	3092	Ccjfgphj.exe	92
PID 3464 wrote to memory of 4764	3464	Ceibclgn.exe	93
PID 3464 wrote to memory of 4764	3464	Ceibclgn.exe	93
PID 3464 wrote to memory of 4764	3464	Ceibclgn.exe	93
PID 4764 wrote to memory of 3904	4764	Chgoogfa.exe	94
PID 4764 wrote to memory of 3904	4764	Chgoogfa.exe	94
PID 4764 wrote to memory of 3904	4764	Chgoogfa.exe	94
PID 3904 wrote to memory of 2504	3904	Ccmclp32.exe	95
PID 3904 wrote to memory of 2504	3904	Ccmclp32.exe	95
PID 3904 wrote to memory of 2504	3904	Ccmclp32.exe	95
PID 2504 wrote to memory of 2184	2504	Cekohk32.exe	96
PID 2504 wrote to memory of 2184	2504	Cekohk32.exe	96
PID 2504 wrote to memory of 2184	2504	Cekohk32.exe	96
PID 2184 wrote to memory of 3728	2184	Digkijmd.exe	97
PID 2184 wrote to memory of 3728	2184	Digkijmd.exe	97
PID 2184 wrote to memory of 3728	2184	Digkijmd.exe	97
PID 3728 wrote to memory of 2312	3728	Doccaall.exe	98
PID 3728 wrote to memory of 2312	3728	Doccaall.exe	98
PID 3728 wrote to memory of 2312	3728	Doccaall.exe	98
PID 2312 wrote to memory of 5008	2312	Dabpnlkp.exe	99
PID 2312 wrote to memory of 5008	2312	Dabpnlkp.exe	99
PID 2312 wrote to memory of 5008	2312	Dabpnlkp.exe	99
PID 5008 wrote to memory of 3944	5008	Diihojkb.exe	100
PID 5008 wrote to memory of 3944	5008	Diihojkb.exe	100
PID 5008 wrote to memory of 3944	5008	Diihojkb.exe	100
PID 3944 wrote to memory of 1764	3944	Dhlhjf32.exe	101
PID 3944 wrote to memory of 1764	3944	Dhlhjf32.exe	101
PID 3944 wrote to memory of 1764	3944	Dhlhjf32.exe	101
PID 1764 wrote to memory of 3604	1764	Dofpgqji.exe	102
PID 1764 wrote to memory of 3604	1764	Dofpgqji.exe	102
PID 1764 wrote to memory of 3604	1764	Dofpgqji.exe	102
PID 3604 wrote to memory of 4796	3604	Dadlclim.exe	103
PID 3604 wrote to memory of 4796	3604	Dadlclim.exe	103
PID 3604 wrote to memory of 4796	3604	Dadlclim.exe	103
PID 4796 wrote to memory of 4632	4796	Dephckaf.exe	104
PID 4796 wrote to memory of 4632	4796	Dephckaf.exe	104
PID 4796 wrote to memory of 4632	4796	Dephckaf.exe	104
PID 4632 wrote to memory of 4028	4632	Djlddi32.exe	105
PID 4632 wrote to memory of 4028	4632	Djlddi32.exe	105
PID 4632 wrote to memory of 4028	4632	Djlddi32.exe	105
PID 4028 wrote to memory of 964	4028	Dljqpd32.exe	106
PID 4028 wrote to memory of 964	4028	Dljqpd32.exe	106
PID 4028 wrote to memory of 964	4028	Dljqpd32.exe	106
PID 964 wrote to memory of 4828	964	Dcdimopp.exe	107

C:\Users\Admin\AppData\Local\Temp\d04121453c66949e4fa2549823620763ba9ac2cc71cfc24dd96b5c977df5df0e.exe
"C:\Users\Admin\AppData\Local\Temp\d04121453c66949e4fa2549823620763ba9ac2cc71cfc24dd96b5c977df5df0e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\SysWOW64\Cedihl32.exe
  C:\Windows\system32\Cedihl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\Clnadfbp.exe
    C:\Windows\system32\Clnadfbp.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\SysWOW64\Cakjmm32.exe
      C:\Windows\system32\Cakjmm32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        25⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3936
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        29⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        31⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        35⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        37⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        39⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        42⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        44⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        45⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        46⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        48⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        55⤵
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        56⤵
        Executes dropped EXE
        
        PID:4696
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        57⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        58⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        59⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        60⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        62⤵
        Executes dropped EXE
        
        PID:736
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        63⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        66⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        68⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        71⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4940
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        73⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        74⤵
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        75⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4196
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        78⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        80⤵
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2620
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1564
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        83⤵
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        85⤵
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4284
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        87⤵
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4348
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        90⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        91⤵
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        92⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        93⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        94⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        98⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        99⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        100⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        101⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        104⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        105⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        106⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        107⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        108⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        109⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        110⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        112⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        113⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        114⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5476
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        117⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        121⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        122⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        123⤵
        Drops file in System32 directory
        
        PID:6048
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        124⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        126⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        130⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        132⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        133⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        134⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        135⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        136⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        138⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5552
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        140⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        141⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        142⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        143⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        145⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        146⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        147⤵
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6372
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        150⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        151⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        152⤵
        Modifies registry class
        
        PID:6492
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        153⤵
        Drops file in System32 directory
        
        PID:6536
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        155⤵
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        156⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        157⤵
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        159⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        160⤵
        Drops file in System32 directory
        
        PID:6824
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6908
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6992
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        165⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        167⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        168⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        169⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6300
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6360
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        174⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6572
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        176⤵
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        177⤵
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        178⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6848
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        180⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        181⤵
        Drops file in System32 directory
        
        PID:6972
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7096
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        185⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6348
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6500
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6604
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        189⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6756 -s 400
        190⤵
        Program crash
        
        PID:6856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6756 -ip 6756
1⤵
PID:6812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
224KB

MD5
c039e7f5ecf2bcc3c08b93e7012ad0a2

SHA1
96b06eb0ce7e6036c7c82eb3244796404e70bc61

SHA256
cb4f048c2bad0725f99b8db2c9536bfffced66a3b71b45ed54d9c2fb78af5e03

SHA512
4a587043c1b5f1972c924f1b13fd7c6066ffbaa8b45d8148482c48d092851ca4cdf5ec704ad8361a7937cc3ff82c1337f35b37b70c3d9ee7af5f1078a69c9058

Download Submit
C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
224KB

MD5
3ae453be8142f047a86e11c8d606688e

SHA1
6080deda4819e908fe90b06b1d27fedcb338df51

SHA256
f84abcc672ea8dd86a06026ab2a24318f8d68552fdb557e82fb0a14d59df98ae

SHA512
3ebfe2ef5bcb21e42bd0aa1d9415fd4e6dc199f5c1a28a5bcb306816347ef8f180799b7474343a2b3f59fe73ee703dde70ff4022f3ecffbfb1f9fe3b2d4ae05c

Download Submit
C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
224KB

MD5
38fa29e5bd4b0c4e5e9edd1e6ac99acc

SHA1
4acf4663ceafe5d9e380cf246dabe526efb3480c

SHA256
c3c8ada0942bc57dd88c006ed1a443bf8b06679e814c690df92cfe0df8104748

SHA512
1514f1f7f2d893041fd77b6d3e786d90c51a07c6471868eae2cf4db95ece0e5d2c54b3cd858b033239f5d7031fffda955d97c4931de76fce72c4f9fd358aaec9

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
224KB

MD5
398dcb86141c35e68fbc76e60e222a16

SHA1
a5529ca006918813caa718b5072540f5e97d0c07

SHA256
8359cdffdeb29278cc01c063175e7163eabd03c672b5f87d7acbad202ecd9ce6

SHA512
4faa3f8f22d14975ec5cd708127e7757394c6434cdf71fe1ed7911d07bd97944f3819dc6132f5cc478f9c1c835817fd8ffdd9074ae4f173a783ecfec060587d5

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
224KB

MD5
4b14f7a9b3ccc44ac261829f6bdb3dcd

SHA1
2e2c9e8f2e9623e0a2b820e239cadbed5422d5fa

SHA256
7145dc7bbff5da2fbcec9456886f3bac67534911372c1c2b78140a5d4c0bb118

SHA512
9b91332b9083d70dfdf2ffaf6dc25dbf73f50b51c77e05d8011149e1020c53c686def05058f0fefb9122fac003ca02500e291d0055c55441f6c0a8b56a0a51ed

Download Submit
C:\Windows\SysWOW64\Cekohk32.exe

Filesize
224KB

MD5
4fb9db1e97535da2039aa4c6f1eddf1c

SHA1
6049ee97ff0166a3f2b8f256520d5006f104bca3

SHA256
c9a956bf87c98d0593753e97403cd57519397246f2f145030433ee77e8872d0e

SHA512
e79c0f16aec1a15998e0d44987e0eda28f248d9e0e581ab19bd51a44072c6920b9fd7b2fba8745d8d22c7795011d7119df631be7144cb8ef801458d4fad06ffe

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
224KB

MD5
037b7450a5555a70467c414b22feb062

SHA1
809cd305eb1f496e6b21f08a7a9a95f221608a13

SHA256
b142886bb3fb692f56a225aef99e2be66d8a75430c61aea8c9e5a362bfad89a0

SHA512
835e8ab47154ec72db09dce898bb9d61569fedcbceeb6686ea23b6a07f8523af0224d583e638e0c4905c6ad836f150bbcbbf822e0c967127f267b08828de3538

Download Submit
C:\Windows\SysWOW64\Cibank32.exe

Filesize
224KB

MD5
16ef533982164b081b8a13ca41a0cfe5

SHA1
aff332377024364b8bfbd71f242da4dc495dc773

SHA256
73a5d6e583cc1069b93f6528a3d07f9c5b0cdddb7fe12e2105ab6aece624596a

SHA512
f1d8fcc4e0d3921e82eb17c1eb3a9b7e919f677a07f7cc75407286f8e2f76ea26fcc4c4d1ae3ed097b5975c93e1f5a56e088aea790abdcfbddc811885ecfd9ea

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
224KB

MD5
2e3e2e24046a74be1fa805b779c6283e

SHA1
38f196e301f50cf95bd560bbdc64eeaf04a8def8

SHA256
a020aa7cc19607bb7b6ebc72dca01f60feff5cb2f66f76f2cb0535f73d7640a6

SHA512
a117e97d3ef87e895a7386512c54740a7431b14329b51538109ff895f5dc384358422fedded2c5683a03abe305a34e2ee8013ef72215b8498a144f89fa043f1d

Download Submit
C:\Windows\SysWOW64\Cpljkdig.exe

Filesize
224KB

MD5
d2e6869841c6b059c6ef5fc9147d2f83

SHA1
b2c6b8758ebb35092ee95097c136ebaff985a89f

SHA256
48964ded74379d6320c070510809a5e61fa9b3fddddb3c5c37f9fd210b460cba

SHA512
cbf35976bffae7219a1eb81b73750e946968359a7d928884945601ab702cf908d6e1e7ca27e65a88297bf209acb34e85f6ec3fe8da4d9fc80dca1a87550f082b

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
224KB

MD5
49e63116d613f1077cbc069fa7167d5b

SHA1
bf56ad2147914f9ae3403d0883b56ddbd2b37777

SHA256
5edf77c430b9e2b0da05da545a751e7c6d15567edfd87b096eed4fec84a79aed

SHA512
c46a86158682e4b3209f3cc1e7d8364c3b9927f0aab62f98b50e29e3429f71fc92396bbdd920b4c9a7eb01d6fb8c451bc3d07bee9bfef749e148c6f0d3c57fe1

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe

Filesize
224KB

MD5
a4ffeebc7c878664568c035244be94be

SHA1
d9a8f0076a56bdfc32cb89860f3a6017f9ad75fd

SHA256
df0967deee72b15763eefa41a290f1d7fea39876c2d528d5587d13a444dc4f6a

SHA512
c988e75a6433945e7707cccd053e4ff2d86714bb1033ff95ab75b77c587c2dff1ecf92f74ab6789101047c24f845bb8c77e66d373018f07a6782780d38e798f3

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
224KB

MD5
ce8abe6aaefc41ef7073c95136979216

SHA1
900d3774a7a27e2efeb64b3832b9c22a2920cc16

SHA256
9040a657139f0265b2f530090bffcfdf81b3c64ffc4b31ca8c8786a49e247eda

SHA512
670ea2c7dc1d3b8d34b88c87272b3267399e8790b12f0dda8ca5664796a3de1a3b0b8dd2008306649aab8f6ceffa445cc8331773e1b5bd9e06774d062c5871e9

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
224KB

MD5
291373bf79cf5144beca3173f9ad7c38

SHA1
32750a7392ae7276ad217602877df339259fa09c

SHA256
ec7a822cbd2dd76a4e4ba35ebeccdc0159a5039ee579fdaf47e3d2d7d75493b7

SHA512
67e587206bc2763ddd1b6fdb50cebc91ed002b7678d4bb8a1a868e7142e1fa6c90f21dcaab7515f458b091ee4010faff1ba8a612bcc17769d4858f291d15bf24

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
224KB

MD5
cf53e7f94b51f6e12b60e55f486687e6

SHA1
3140c934e9b744b13e6feb0b641b4117122e0766

SHA256
f7f71c3e88fe2546d704daa193c853661500fefcf2e5585109ce42b602f60de8

SHA512
54e6c14caccc554875afc90d29c3bbc82d9decd4113de9b3269f3c0f7d15e68be8c6e34fe6679a96d966d2c8d77de4a0b008579ff52bf8cb1ddf8134c4e9159d

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
224KB

MD5
131edc2240a310f5bf83152f44980933

SHA1
bee0482c5872a220876e7bef81f6d303e7545f14

SHA256
61a7a4ca93f2d2fc152f6f5e6755aeb84c6503255d6c24e1280611e60d644d89

SHA512
9e7d747fea15280c4731675e31d1ea53afa8df8b4ad4513c40109ada4e94cd4e3cd0aad3ff3cf8e9690d8a5cb7c70347ac2aa99f6167744ff39788f9b3e43538

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
224KB

MD5
4e62c8f52a3e271b5faf762e1656c81d

SHA1
8fcf25f08ce6266b797e25cfa75447d05a0db215

SHA256
3d715983ce53c37b9c76ae098010f00c3209ea4e0bce5cf395c6a02b29bba439

SHA512
31fcbca38195a9cd2edbe400e3a4ee78a012ed10deb10c6c0e381834680d2dd3f72576c614029c1c8679c67a73775bff73dd258275504c383bc6a25336259902

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
224KB

MD5
0a82399f3b3c29c61ac564dadd88bd54

SHA1
cbbe0fbc27fb4fa6db7bccdd3ff1120c9ad9cc61

SHA256
96ae7dfbf727f5e7392c15d3a41eea93edbda9d383543805305c4b1595b669f0

SHA512
ba13a8a0e54b7633e4a00ef3922901e7e57a86e4998e9a1993f0e84c2738f9c3e8497d062666d1bce4c045380d1a1f39842cd3f7faa8a34092df6f43bc416dbc

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
224KB

MD5
027c75699d74723179184bcfee0728e6

SHA1
e854ed7170b096ac6f3578c765f6f09b031eb208

SHA256
eafe74395632a5da752d46dd6e5537bd641b5f00d54a5ec8f953eb1915b56baa

SHA512
c7b0751964b4e2e93fcdde0f5c20bd4d520217b7fc4876b62715ad853596f94b1284f9030d87ad54c5967fcf8293951403f6080956d118213da675a73de11d8d

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
224KB

MD5
bb4dd48a392b84b9bf20a5baa9ee06de

SHA1
e2ee19ee81f95b9f26c976e223ba39383e966a53

SHA256
3fdb2dfc4ae649bdb5f69e86b90e5443a644632bcc21b1a14d2f123ba06ed88e

SHA512
afb674aa6f0cebfe3f12eb9b64cdf3f07a21b3b46a9ac90c3091ad76e62197715ad36f25ed4091d2358cd779b7e79eee8fbde4c32f19778652a63fc00b658807

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
224KB

MD5
c437ac7d12aea635a4a7315a01ed9fa5

SHA1
762d862b272f7cdc86d7668192c9dc29c99d901b

SHA256
e44480de1426e3a773c4dc6c2c3a3d87d581ec7385ced7592d3343743e5dcf51

SHA512
25351407409aa5dd9f4d428f88250646aea31d5e467c6ca48537102656bcb2b26139e40eb3636bef9ceb8296c03939a12ad6871a3466b57eda6d94d9c639b3b8

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
224KB

MD5
b1704a99ca4345ec21449a4d6a3ecf13

SHA1
03ec98d89d4c60d3f326c081abdf1dbb68695cd8

SHA256
d0638ff9dfab54ea7dd92e9e70422fb340813a493628aad01f9ca2fb9268b106

SHA512
c77a0b84dc12c8493c57d9f00a1cbf0cd8177dc89d6ba74c29367f633cf8c76b29d9dd3a44aab623bb9bac9162a8f3f670c0afa02b20a91518f0589b6db14852

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
224KB

MD5
000566f3e5bd59afce628b42b61b3594

SHA1
8b71c766af28fc85ff89b3e187db08fd09f388a7

SHA256
17a3e4b18cb9d70c63ede967f1b558970703f37bd9501e3587f864bce5cda9e1

SHA512
2ebb8b4bad959d6123d8302e892f26b236bed430341eba02522dad947c7c2449772ca39e381b2ef3bfb46682d109c62ed3f100c59ab5430761c9a23d163dfd76

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
224KB

MD5
06eb2626c4bc938a99954bb6c3c98d2c

SHA1
71f714d485b8a71657eb06fd4f5501275f27841b

SHA256
4f9828888c3b0b6c73e770cae66ec245b3cb7333eca902cd5bc84ae34422cab2

SHA512
46a0444e5b26232898a28980a3399ead0f6130661d24ce49ea021959827e05d24d3ec4723098d8a0899355feb3fd061c935be4fd34064aa9ac74eba3486aad46

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
224KB

MD5
b31ad70b3cde289e93b95ba226a02195

SHA1
8e4493b3389496c6a46e7975aebd834559af0ea5

SHA256
e7eddeace467addd78f71f725a9b3d36b35fd1637c4d73e773d3547bf4fac252

SHA512
7d7f37c2719a4b8a39117770d353b034e9e805b0758bde6148f956d3e760282722e402a07e39fbebffbc83ae7abd5591cfd603bf0167161254b9e1f6de2fe4d2

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
224KB

MD5
550d1f2b917bb60c673fdeeb807f4c73

SHA1
06d8b6356554bf104f7079241e4db7cf7bfd5a05

SHA256
2cb2cd29d5b8dba1282bb119e43baccf2637f6c6bbe3343fad37aa6ef4141aaa

SHA512
bd3268e3fbc3a66dadce6a791ecabf1a2cd11825da39827b7803dacb1319aaa6c184ed43a080b9a12eb8aea12ea79e67d7d0d1e078e5166f0bb5e79daf7494c2

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
224KB

MD5
d3e120738b146209dbf613d6654d4ce8

SHA1
f182ce1e04d81db36541f9c0bbd3c0ede9af3da4

SHA256
7b469ddc058e954e58bba28cce90de63e09c3fa6fc508d3fd78303a9827914cf

SHA512
a39d13d3f7beecb0cfefd83cb73185f891535469f4caf82e17ea18f13d23ee54b24ffdf3d4da12014d1f2e4e06fe25c3b4377a37c4cd8da0716334c05626f71d

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
224KB

MD5
2f021a1e075adfc3ac3a8b3b7f616bc9

SHA1
05f0b5c6c80a2eb7149333fe6b9a59f31d21fc27

SHA256
bffdae49c347a823ee872525b498378c5a1e384c6dea1b6f299e417d2e54fd32

SHA512
974bb83cfb75fa25aa84b6f24fdcdca275da30f368d4da530d13fbc54d880cd9ecde7937e66b1eac229436594d23d82fa64eb55a8a8c39c329f3cf34b6d155d8

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
224KB

MD5
7e9272a75852fe2720aafacdb604d7b6

SHA1
536bc57b7098ed7152a84ac78be18ad6fd4f6b53

SHA256
8499b626c628df000863e6d15d0edf23566b787360537c18908b09ed7c0c72cc

SHA512
f5fb39657d4f0b843fd080a2bb4d7e4ca67f944b67ebc71dec459285aa4c4c59c0fec87906f72578256f3757d65478b3f9977bcdff893026d7a733d6ec78cc0a

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
224KB

MD5
db650866fbdefc46a2b10981d8edc972

SHA1
9856660e8152195a9c7b6b653ad9091d0d932f70

SHA256
5c00f66c59b18d7d9169249cfe79888183a0a038d9657949cb8a6052f1db6b6f

SHA512
2ace703d1c1b32c8d0bfaa3fa0aeb0696504f7b85c24606644956c4b1796f97f3250a3ef02d3792bec9e4676805d0af4b330a2433c9c942ba2a7c211bf60a49c

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
224KB

MD5
30fc3e9077a9f557c7da107a1cc0e5fd

SHA1
552f8f850ce2333dcdda5febb1981245abcfd611

SHA256
f79f7e4c876f1fdf7c91736bf03a5639a2024f87d6dc334e82883b7051916d84

SHA512
4cb7ef30d61c9d8d8316aaaf08b498d5a94d24d9d3195c29cb1e035cbb058ab40b4c68f003f17abb9e27d8003baf1870903ce7bcf424cd9d7cd5c15f2892411d

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
224KB

MD5
250b73739127759b7192bae85d98c935

SHA1
a60d06e959ea4ba0ee28f4b8d313f75e4add9485

SHA256
d4b4f33b3db5aed4fa54370fbfdae8bc8b0798ae1d21b920de242d2e244c7530

SHA512
8154ab8b712f498cd2e2fbc2bb3e162f11e31dc29b1f3df10fd2eaebf9dd916425ea3aa7f1d4a832acd6a54de62eddcffa1102f38d27463305eb866b44ad956c

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
224KB

MD5
bed4c0724cc59751c350203a48739db4

SHA1
947171777f1416d9f174cc510b5f7a0fb5dd7b14

SHA256
5274131dbd1b4a5714d4fa76a5576345d09a76e0b336336c6163a3da652b07a8

SHA512
2b9a9ac8bcd9b97bfb8101e79802239defbf11c2fc5950bcb777f7b6ca29c3141a0b497e2516d5ea4c9325268eed4a2de51a1d0a514048a262e73a30e45de920

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
224KB

MD5
77ba63a56e01de230adcc67a342e4c35

SHA1
936662438bc20033fbc763554d7cb7e90830d41a

SHA256
cc2fcb0c2526ab5cb994ce416ff3886e18725e0d664f366a5376ba6dcbac4824

SHA512
29ee646940766787f9717b8699c32b9690c44a3d9634019f329ee9e2bceaef1bf9af920d0ebb9f80ec3a0fe41cb592e4ead417abf69c1fb928823b4349da83fa

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
224KB

MD5
4661a032e80534333a8528ae3ca29057

SHA1
de4e1fbea6686fced08478e943378d3d086a532c

SHA256
ca611a6f9ed0649b6af1fab4a0147159e6953c370b305b132a7ca97dfca5710d

SHA512
d3005b2ce56214768e670cf7b3036fa395382b8c9ac45536de874967dc459b2253de89124affe6fbaf0eca787877fba459e33363b44be79b3ccaef076dcc6001

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
224KB

MD5
20424d56cb1a2b2b92afd60b57f748ca

SHA1
d29faff25ae414ce3d5717890254b1036e377718

SHA256
8caddf277e775d279743f14e53e5f4ed6836e41a93d919692191dcd8be480065

SHA512
2796a37f29c32b6e1fc09d20778b281ff851d4aedbd6f10ac47737bdc5f10bb587c134b9016ef2af2af8725f28c8119e287e402f09cb2071b9fdb819e46b0776

Download Submit
memory/624-325-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/812-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/816-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/816-102-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/964-360-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/992-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-367-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1120-300-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1248-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1372-342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1376-314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1384-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1480-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1584-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1764-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-374-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1896-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2164-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2164-158-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2684-308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2948-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3036-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3036-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3076-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3076-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-391-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3392-378-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3432-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3464-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3464-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3604-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3728-106-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3904-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3936-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3944-146-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3956-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4000-375-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4028-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4124-392-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4296-390-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4396-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4436-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4648-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-402-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-397-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4796-171-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4828-361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4936-320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4984-384-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4992-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5008-123-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5088-350-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads