4123ae0f82bcd51fca3c3d7ab5b5dd846af27bd6ff25e18fefc5da40546d5926

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4123ae0f82bcd51fca3c3d7ab5b5dd846af27bd6ff25e18fefc5da40546d5926.exe
Size

60KB
MD5

071d30df2f537c7fb21a9eb447a5b22f
SHA1

d827495c1628b00b462a064f7ac87ea742494783
SHA256

4123ae0f82bcd51fca3c3d7ab5b5dd846af27bd6ff25e18fefc5da40546d5926
SHA512

a90a175fbc99047af65468c2bdb7310c481a74353ee71bb16e24c67880a79619c363d2abd5067fa1a2ac20259c1060628cd237440d4f40f7fa6e858ede98cae0
SSDEEP

768:DoKOR4vselZc/ACHS55w7Tno9Ax2eDx+9rK9oJFREs0Ej/1H5LDB+XdnhMl/Xdnr:DaxelZQAQSHoxvgK9An0ExBDB86l1r

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cidncj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clqnjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cidncj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epopgbia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhqaefng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdbojmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcopbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfebonm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibank32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmaioo32.exe

Executes dropped EXE 64 IoCs

pid	Process
3328	Caimgncj.exe
4724	Chbedh32.exe
4508	Cpjmee32.exe
4060	Cchiaqjm.exe
4992	Cefemliq.exe
3576	Cibank32.exe
3736	Clqnjf32.exe
716	Coojfa32.exe
2184	Camfbm32.exe
1880	Cidncj32.exe
3332	Clckpf32.exe
116	Ccmclp32.exe
5108	Digkijmd.exe
5068	Doccaall.exe
1832	Dcopbp32.exe
2516	Dhlhjf32.exe
1596	Dpcpkc32.exe
1572	Dcalgo32.exe
1784	Dephckaf.exe
2140	Dhnepfpj.exe
3228	Debeijoc.exe
3092	Dhqaefng.exe
2728	Dcfebonm.exe
5048	Dfdbojmq.exe
4732	Dhcnke32.exe
2840	Dchbhn32.exe
4316	Ejbkehcg.exe
4844	Elagacbk.exe
2456	Eckonn32.exe
3248	Efikji32.exe
4216	Ehhgfdho.exe
1624	Epopgbia.exe
4032	Ebploj32.exe
220	Ejgdpg32.exe
4204	Ehjdldfl.exe
4256	Eqalmafo.exe
4208	Ecphimfb.exe
3040	Efneehef.exe
1984	Ejjqeg32.exe
1496	Elhmablc.exe
1436	Eofinnkf.exe
1888	Ecbenm32.exe
4304	Efpajh32.exe
208	Eqfeha32.exe
2208	Eoifcnid.exe
2828	Fbgbpihg.exe
3376	Fjnjqfij.exe
1556	Fqhbmqqg.exe
4380	Fcgoilpj.exe
1780	Fbioei32.exe
620	Fjqgff32.exe
1964	Fqkocpod.exe
2372	Fcikolnh.exe
872	Fjcclf32.exe
2568	Fifdgblo.exe
3288	Fmapha32.exe
2072	Fopldmcl.exe
3480	Fbnhphbp.exe
3708	Ffjdqg32.exe
4348	Fjepaecb.exe
3520	Fmclmabe.exe
1652	Fobiilai.exe
4312	Fcnejk32.exe
4948	Fflaff32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nkklocjg.dll	Elagacbk.exe
File created	C:\Windows\SysWOW64\Jcgaen32.dll	Efpajh32.exe
File created	C:\Windows\SysWOW64\Mcplce32.dll	Fjcclf32.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Ahgndd32.dll	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Fdahphpi.dll	Cidncj32.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Fmapha32.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Cpjmee32.exe	Chbedh32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmclp32.exe	Clckpf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhnepfpj.exe	Dephckaf.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Ipckgh32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Eqalmafo.exe	Ehjdldfl.exe
File opened for modification	C:\Windows\SysWOW64\Eofinnkf.exe	Elhmablc.exe
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lbdcekmm.dll	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Fijmbb32.exe	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Kgbefoji.exe	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Dcopbp32.exe	Doccaall.exe
File created	C:\Windows\SysWOW64\Gagaaq32.dll	Efikji32.exe
File opened for modification	C:\Windows\SysWOW64\Ebploj32.exe	Epopgbia.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Cniohj32.dll	Eckonn32.exe
File created	C:\Windows\SysWOW64\Ecbenm32.exe	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Gqpmkibm.dll	Dhlhjf32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Giacca32.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7592	7548	WerFault.exe	306

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaokiafg.dll"	Cibank32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecphimfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chbedh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgjkamf.dll"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcalgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdcae32.dll"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cefemliq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhnepfpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkhkpho.dll"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcopbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genjanmh.dll"	Dephckaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coojfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopeje32.dll"	Efneehef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 3328	1424	4123ae0f82bcd51fca3c3d7ab5b5dd846af27bd6ff25e18fefc5da40546d5926.exe	86
PID 1424 wrote to memory of 3328	1424	4123ae0f82bcd51fca3c3d7ab5b5dd846af27bd6ff25e18fefc5da40546d5926.exe	86
PID 1424 wrote to memory of 3328	1424	4123ae0f82bcd51fca3c3d7ab5b5dd846af27bd6ff25e18fefc5da40546d5926.exe	86
PID 3328 wrote to memory of 4724	3328	Caimgncj.exe	87
PID 3328 wrote to memory of 4724	3328	Caimgncj.exe	87
PID 3328 wrote to memory of 4724	3328	Caimgncj.exe	87
PID 4724 wrote to memory of 4508	4724	Chbedh32.exe	88
PID 4724 wrote to memory of 4508	4724	Chbedh32.exe	88
PID 4724 wrote to memory of 4508	4724	Chbedh32.exe	88
PID 4508 wrote to memory of 4060	4508	Cpjmee32.exe	89
PID 4508 wrote to memory of 4060	4508	Cpjmee32.exe	89
PID 4508 wrote to memory of 4060	4508	Cpjmee32.exe	89
PID 4060 wrote to memory of 4992	4060	Cchiaqjm.exe	90
PID 4060 wrote to memory of 4992	4060	Cchiaqjm.exe	90
PID 4060 wrote to memory of 4992	4060	Cchiaqjm.exe	90
PID 4992 wrote to memory of 3576	4992	Cefemliq.exe	91
PID 4992 wrote to memory of 3576	4992	Cefemliq.exe	91
PID 4992 wrote to memory of 3576	4992	Cefemliq.exe	91
PID 3576 wrote to memory of 3736	3576	Cibank32.exe	92
PID 3576 wrote to memory of 3736	3576	Cibank32.exe	92
PID 3576 wrote to memory of 3736	3576	Cibank32.exe	92
PID 3736 wrote to memory of 716	3736	Clqnjf32.exe	93
PID 3736 wrote to memory of 716	3736	Clqnjf32.exe	93
PID 3736 wrote to memory of 716	3736	Clqnjf32.exe	93
PID 716 wrote to memory of 2184	716	Coojfa32.exe	94
PID 716 wrote to memory of 2184	716	Coojfa32.exe	94
PID 716 wrote to memory of 2184	716	Coojfa32.exe	94
PID 2184 wrote to memory of 1880	2184	Camfbm32.exe	95
PID 2184 wrote to memory of 1880	2184	Camfbm32.exe	95
PID 2184 wrote to memory of 1880	2184	Camfbm32.exe	95
PID 1880 wrote to memory of 3332	1880	Cidncj32.exe	96
PID 1880 wrote to memory of 3332	1880	Cidncj32.exe	96
PID 1880 wrote to memory of 3332	1880	Cidncj32.exe	96
PID 3332 wrote to memory of 116	3332	Clckpf32.exe	97
PID 3332 wrote to memory of 116	3332	Clckpf32.exe	97
PID 3332 wrote to memory of 116	3332	Clckpf32.exe	97
PID 116 wrote to memory of 5108	116	Ccmclp32.exe	98
PID 116 wrote to memory of 5108	116	Ccmclp32.exe	98
PID 116 wrote to memory of 5108	116	Ccmclp32.exe	98
PID 5108 wrote to memory of 5068	5108	Digkijmd.exe	99
PID 5108 wrote to memory of 5068	5108	Digkijmd.exe	99
PID 5108 wrote to memory of 5068	5108	Digkijmd.exe	99
PID 5068 wrote to memory of 1832	5068	Doccaall.exe	100
PID 5068 wrote to memory of 1832	5068	Doccaall.exe	100
PID 5068 wrote to memory of 1832	5068	Doccaall.exe	100
PID 1832 wrote to memory of 2516	1832	Dcopbp32.exe	101
PID 1832 wrote to memory of 2516	1832	Dcopbp32.exe	101
PID 1832 wrote to memory of 2516	1832	Dcopbp32.exe	101
PID 2516 wrote to memory of 1596	2516	Dhlhjf32.exe	102
PID 2516 wrote to memory of 1596	2516	Dhlhjf32.exe	102
PID 2516 wrote to memory of 1596	2516	Dhlhjf32.exe	102
PID 1596 wrote to memory of 1572	1596	Dpcpkc32.exe	103
PID 1596 wrote to memory of 1572	1596	Dpcpkc32.exe	103
PID 1596 wrote to memory of 1572	1596	Dpcpkc32.exe	103
PID 1572 wrote to memory of 1784	1572	Dcalgo32.exe	104
PID 1572 wrote to memory of 1784	1572	Dcalgo32.exe	104
PID 1572 wrote to memory of 1784	1572	Dcalgo32.exe	104
PID 1784 wrote to memory of 2140	1784	Dephckaf.exe	106
PID 1784 wrote to memory of 2140	1784	Dephckaf.exe	106
PID 1784 wrote to memory of 2140	1784	Dephckaf.exe	106
PID 2140 wrote to memory of 3228	2140	Dhnepfpj.exe	107
PID 2140 wrote to memory of 3228	2140	Dhnepfpj.exe	107
PID 2140 wrote to memory of 3228	2140	Dhnepfpj.exe	107
PID 3228 wrote to memory of 3092	3228	Debeijoc.exe	108

C:\Users\Admin\AppData\Local\Temp\4123ae0f82bcd51fca3c3d7ab5b5dd846af27bd6ff25e18fefc5da40546d5926.exe
"C:\Users\Admin\AppData\Local\Temp\4123ae0f82bcd51fca3c3d7ab5b5dd846af27bd6ff25e18fefc5da40546d5926.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\Caimgncj.exe
  C:\Windows\system32\Caimgncj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\SysWOW64\Chbedh32.exe
    C:\Windows\system32\Chbedh32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Windows\SysWOW64\Cpjmee32.exe
      C:\Windows\system32\Cpjmee32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4508
    - - C:\Windows\SysWOW64\Cchiaqjm.exe
        
        C:\Windows\system32\Cchiaqjm.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4060
      - C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        26⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        28⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        32⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        34⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        35⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        37⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1984
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1496
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:208
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2208
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        48⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        49⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        56⤵
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        59⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        60⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        61⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3520
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        63⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4948
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        66⤵
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        67⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3420
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        69⤵
        
        PID:372
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        71⤵
        Drops file in System32 directory
        
        PID:2152
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2576
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4776
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        75⤵
        
        PID:884
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        76⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2672
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4184
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        79⤵
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4952
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4040
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        82⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        84⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        85⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        88⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        89⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        90⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        91⤵
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        99⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        100⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        101⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        103⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        105⤵
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        106⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        107⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        108⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        111⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5588
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        114⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        117⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        118⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        119⤵
        Drops file in System32 directory
        
        PID:1420
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        120⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        121⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        122⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        123⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5892
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        126⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        128⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        129⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        130⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        131⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5272
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5872
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        136⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        137⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        138⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        139⤵
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        141⤵
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        142⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        143⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        144⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6400
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        146⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        147⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6520
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        149⤵
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6600
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        151⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        153⤵
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6760
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        155⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6852
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        157⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        158⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        159⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        160⤵
        Modifies registry class
        
        PID:7004
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        161⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        162⤵
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        163⤵
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        165⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        166⤵
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6364
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        169⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        170⤵
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6584
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        172⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        173⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        175⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        176⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        177⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7080
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7116
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        180⤵
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        182⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        183⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        184⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        185⤵
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        187⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6192
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        190⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        191⤵
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        192⤵
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        193⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        194⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        196⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7060
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        198⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        199⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        200⤵
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        201⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2076
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        203⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        204⤵
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        205⤵
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        206⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        207⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        208⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        209⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        210⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        211⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        212⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        213⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7380
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7420
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        215⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7508
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        217⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 400
        218⤵
        Program crash
        
        PID:7592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7548 -ip 7548
1⤵
PID:7572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caimgncj.exe

Filesize
60KB

MD5
994b0f8d363a58d653ce16b1be60bfbc

SHA1
fa140e5efa6a7e888a4262b6d5485d44a451997a

SHA256
b9dec62f7d2036d8ad9963c4908906f12cdd8d40727fbcc274f690690b98951f

SHA512
9e65091facdeea6e00338ed97eda21872ef31b86f2a05c5d0e9294ea0ecc99ae16e3d78ee78e024e02131e1dfcd11d3a850d48e932a1e4c544f1984a2e033a92

Download Submit
C:\Windows\SysWOW64\Camfbm32.exe

Filesize
60KB

MD5
e41ead2f856df286a2a8cd0b2c26a0e2

SHA1
3994298abe89f9fd4242d8d6127c0ef8ad8e027a

SHA256
d1390e647e14b99357219c8eacb9f3491f377774ee2a0a0f9c35d9cfbd0d6c89

SHA512
3a78f18c7226e9633b9dc918b72552329b17bb937dd986fbfc7d9ccae40402d308f7254b9742688fc284fa973d1e759813c8da7e84c6317eb41ab1154ce2b3f0

Download Submit
C:\Windows\SysWOW64\Cchiaqjm.exe

Filesize
60KB

MD5
f1d654c01771d3a3421f144bcdb02fbf

SHA1
a60ccd48a2a80a266623ac43c0edef11ea1873f8

SHA256
97735f577aecbfb6a0bf580b6d6285ba6dcf898d9d85e67678d2d31f123862b9

SHA512
8c56794346d65372f1ff885c81981cd2e537a5bf7192f00948934365c2fedde30cdc359a28430c5a6bfe3609b3f3342cafc36a60d2cbb534d8f7db11fe7d4911

Download Submit
C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
60KB

MD5
092d546b9a790d55530409abfed429f6

SHA1
696a3f2ad5fbfc259a8735f71c4e7837c655774a

SHA256
c3623601db8664053920d87f583f9f6710e0e13587cbefe242df6cfb6a5e9bb1

SHA512
f847f4d8fc80dfabb572c255da1b4b01de5aaadf7c516862739527b40372d63466517c051fe96aad15379d2d535e6e697b9548ffff3f9685fac56739bb58cec7

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
60KB

MD5
0e30a32049db4359350c407006836606

SHA1
cc594b4e403e4a7ae5370c5eb1beeca1cfb9b24f

SHA256
897b54e1640323be9ec02e18e162c4e9bb19069b598a776238df8bb0c8beaa71

SHA512
f27438b63435f9506318acc0aecd060479b0f07b342157135cf4a6c8def86c3b4e452eb106567c8d2feadd3a194ddd508adac0da51712f80913de03bb6544f0c

Download Submit
C:\Windows\SysWOW64\Chbedh32.exe

Filesize
60KB

MD5
033f069f4076ae1d6c31e370731259f5

SHA1
32491cacee13d852151d7fa01b58d99393319830

SHA256
db27322dd4869f9d38d74e4f6a24d2da8f9ad54ac88b504b94711aaa6557339c

SHA512
4cdaf8415a88cddf72601a538669badff9cb7a227ecab4308bbcf752441c4283cdf085808ffb328322d6c0129e48c6175253cfdd47dbd36fcd082f9fa58520e3

Download Submit
C:\Windows\SysWOW64\Cibank32.exe

Filesize
60KB

MD5
05f4a19c8479bac9d4dcf60f1ae0a0f9

SHA1
e8b63cd3c42256e4ae92d20006ae1d83edab0a6e

SHA256
5f22af4bc7cbb47813b206108612bccfb4c03dd0fcf27ecf03236007b8e5620a

SHA512
ace2074509bb3085f907ca9388c111463f7c45d37d7cf3267f0ebff200575f1db6fc91a02dc64de1fdf850fb764b5dc8938dd970a70891c1d224d21f6f325e09

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
60KB

MD5
c91d8b1e2dd9eec08304dce9408aeb3a

SHA1
a9e64642b92014e2200f8ea233dd2f48851fff3d

SHA256
be402c0b77d65cd0d234600f0598cac57759f53cdda30833dfb63b8f4963009f

SHA512
43412919354733459a51494188ff1cf4efdef116cafbb8dea91bdac04eb1689b5882691d0497dfb5a20067c8061d4037f056185a005fb802d8ee5a2a7dffa38c

Download Submit
C:\Windows\SysWOW64\Clckpf32.exe

Filesize
60KB

MD5
c793e40052358eb1709ee8077f91e977

SHA1
7a67313104de5d14e78ffceba1bb5b64f3fb4f8a

SHA256
05f863056512a48e0c740cbda728827a5b054ca4de6a4a0b94c46d77fc2eff90

SHA512
52484d71bfada99c5135f8ed6f590108254f9db039534363cfc3db21cbe270dc21dfeb13c6ecedb84e139976bc4f9817e5c2ccc6cdde70e9558cce794301c332

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
60KB

MD5
6d6a6508358dc8f4775ee5f574d041c7

SHA1
73eb7c483dee5e42edb9fb09ada6e9eec3e6746e

SHA256
e1b7d420d4d39453730d94b8bf629846e955a970466df67b87817bcb44f1f515

SHA512
f9f9686c28a50544ecf124e0115a46c2427d8f172a1cad5a2149e31a8382ebafc2bdeee799411e9a7655746400c5711ea107a8facaf5e491ad58e1bd471f3059

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
60KB

MD5
48bb7423dd7eb7c0e8d407569daee5cc

SHA1
f692213e1265e13f9e1eaffcc5d061bd65cfcf88

SHA256
bc763599fc7f3d1eb5178066626e85ddb8a8bc308de2b7e66633aa356cfd630a

SHA512
242c0776ade5a35675e225dd0e788d2d979459927ebfd43c8394f7360b0f527b8f7783205b64cc7cdbe4b5734aa4ec63f2e39c6de9822239dcee500bb3b45386

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
60KB

MD5
684b87e32327c73b76787994ef4b6632

SHA1
d0906bee7fa5ac051bad63d6abd9419c67b5842e

SHA256
8e665bf5dfc092bd573d7fce6284f8549d57ded1a5e97663972a735b521d5776

SHA512
d5c1e7a99bd83587672bf43708756ed9de9715388788347876a8350bc2c9cd3482aaf12fba352390d00c85bde0fc50fff29d004cc44c820ff02651d9d7aaae84

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
60KB

MD5
f7032bb49ee033dbcfdf29dd68684e06

SHA1
fa181b97d5b8eb25e21756421de52771eec373bc

SHA256
14c7f300eeccf450a6b75c1430f508effc325349b7296add1999f69e20d75a4d

SHA512
1d42836d2b2478b682cbbe0f18d8a25e20611b3ced59b419756420a2fb23f9363a513c81b968bdb1c0992bc3570b82af3913101c56e8b8751bb303cf3639d1b6

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
60KB

MD5
40cfd83625702de7bc588371c848d8a7

SHA1
8eb58ca3082767914c51923222104ceffa5a90eb

SHA256
a50aab1b2d63284b2c1b2f9cea6c76d141c4187612d5b3342ca383de5aa919b3

SHA512
ec9a62c5d24e470ff90870d4e104b9174ba7c97aaf0efa1eab8a97de470403e0d4a63094289b05206791928b624e75a52ae23b1629cebf0c85b9f59a209dd443

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
60KB

MD5
ce51e4ed86671ad8d35a37553e2d0cce

SHA1
5cc873c4c51fdb6d5a509b8a8d4e92059be6fa76

SHA256
6971635d2686cbe39492fbc2b20eede46788946f8e7ee64cba3e1a964d7afeb3

SHA512
93734e7d8dfe176e06fac50dab639114066501bdf8535405190a25200c522da83c06deb0752206d13f794ec5694d20daa97821c1c5bd5850f8e45c5de03f1502

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
60KB

MD5
d36f1a316ac194a9392a1334bcf50083

SHA1
9927049007dea4239e0ef8051adfb2400a0df3a7

SHA256
08e3a90dbf9a80f46e399b8e60476749c6b370fc2cec7c7b478dc8e0adc651de

SHA512
69091c188c0663b3eb202e41853000ce597a7188f135400d1d394080c8b4e98cf41927a91fab90487a6bde15db47f0ff5c0537a44adf5320852a11a7b9d0e5db

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
60KB

MD5
d2c31374763b689a583262dce8cfa08c

SHA1
e4dbec902b67d4826ad71c772d435d0d409e38cd

SHA256
a7a4ab46a9ce186e5d80f7f03d9f41c16dd4b510797d3d923c6cc0101e6fd147

SHA512
81972b415265d8ac9cd9becc645f98ab0c0933e49291c465573a7b664ebe6b0cb201dfb4de0bcd14b04e0cfc12c6a95e6e5b47a36244330ee245b3d36b499fb8

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
60KB

MD5
3e887a6a5592ecb2fa004640c717e739

SHA1
31de52144c2e0139bd467f9bdfc1e189f9c2de70

SHA256
cba5ca7a05710cb3c224fd1deb2193bcf792aceb3cc4314369b529c9fbaf73f3

SHA512
9494de732fe32d6e67212390254c1ffcee1e7e03440ccb31220ec8ae4e25474e2442c278cb6f36d8cbf4049df4fc889400902ef568f5651e5a66e93bf7c5ed8c

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
60KB

MD5
6e9c65c76a0567f694fc6e4b45af0758

SHA1
008d852dc1e07eb1410d2a2eaac07665bfb68e8e

SHA256
063cd2d17d33945d880a7105f0c8d85545b3516e0411ed9957401a9c4ba3abb7

SHA512
9b159cf11ffaaadc407a6b651b6260093ebd1223d7a554ff280b756a9b0e211d64b64875d0cdfbe6765107c413c8fbcfb335744816f7674a31206c9269c9e9d5

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
60KB

MD5
5ddcaa754dfff76994791aaf04fc975e

SHA1
4a327c4dfa35ce7b77695372e90e1eaf436381ca

SHA256
c30420455354f6f77a27bcb85d9b7319a4495e54d4acf9f1fb37b37a43978998

SHA512
9b19a35739cd709dbecf33671ac03eb94926291907749802c69df1a1ae4d3043240610beba9dd903634b92edb8775d4ad2ee4f9124fb1d607409f76b100eb7c8

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
60KB

MD5
820ea965dcf8f8035c875687f786e999

SHA1
c29cf454e49928a17fce2866002b4416a31e84d2

SHA256
4ee06ab9b6ed3f539810fc19cb23aaabbf5bce4e5c9c982e242bf6708e9018e2

SHA512
0861a59c1719b75f9f671d746e18d54af877ea409639779aba9e176ec61180a0a3758ab7920402171fc1db7d0213c7711d97be0007b7771fee5f07c9ae53976f

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
60KB

MD5
f24a8b3ce2abc904e62ba8bc688dbb59

SHA1
7573565780686fc5b6eb7f99e0dc9076f014f279

SHA256
2ec1cfbad3302400de3fc0e9aeaaeb0b606b2eeadc652803a8ac3de25a0d320d

SHA512
1d942deaefdff41ce69a7c176f4cc5c2c1f713b11564f7b5725ad05ec68156bac43a401b3c9cb09a45702b752a2286818e9bf661a5abb491b2d9b7f218252b12

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
60KB

MD5
4119dc909e3a5ae7b7f7efa0214d6b49

SHA1
b73e68532f8c9789c6be1b41d2596604267884ec

SHA256
9db9d7a02a2a212d46ecac284a62fc8fb4c5d3529854c5409a4190880dff0f16

SHA512
d3bad78f9fb33d3a27128af094a30f7fe789e05d822b44ca79a3cae1f8d6de1059d822769858006eaa799acb98c402920b727bc44758bac0b8ef58b98a454bb3

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
60KB

MD5
eccda72f5901a9f9b880cb37d4c687f4

SHA1
78b32537f534eaf36d30f40afc8ee02c06ff70c1

SHA256
3145d0694f50037e7a40da39d62e4d3acf16a32ab37c1d61d613f503298eb81b

SHA512
dab9dfaa9e8afc673e21f759470b916fa9df6cf043c581c3d463f3940004c37d463e80ab351167eec8a247193fb16fdb5dc5b97c09eb3dd77b67af1f9a951e64

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
60KB

MD5
afeb544a9637b8b1fed85a00a3c88ca7

SHA1
2fe1b9d898d4a9609e9f6d0779e9ce9c56ec1e33

SHA256
bf821e730a6e5e9b8061b46e2dfa4d9460c54adedd8b6a04b0985576fb4ad790

SHA512
c6b0ed1fa0c303482880447683e7746f78e3c59d6ad0aa0fb5334aa1c5e15a30abb43ea92654438fb25a1a784ff6e41dd32cfc8c71002a74c178a8d5394434be

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
60KB

MD5
a8351cfe493685098d32434f1e5db975

SHA1
983c34f493c0cdd43411dcfed4f9a382c52c257e

SHA256
51b92bd3e775d5cad6b80e1befb0bf01636f7f717e15c0161de57742319076ee

SHA512
8af086fa9ff1a787d1b74bb48226d1ab1153ea304aa5e6bc7a9d5960d87cf094c42e49afd58f04e9bec77e72c983e276fd2f3d90e0779bc88994320dfac01e1c

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
60KB

MD5
1bc465ce044262e0bcb3a873d765c06d

SHA1
28aa84248ea14b67184b9e6775c2d5860c804cc7

SHA256
0559b0e5b0187fe5d3b51d6ef270644a6612691984bba3e240cc5e0d9f44bdc6

SHA512
21b537e2fa7e8250c8e9b52bda87e197c85fecfe2fdb7952d3baf1dded4fd160e3087633d0e9e549258d47077108c0887b5035531b59f832361bd99645a72983

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
60KB

MD5
d1c56e976aefed6d61bd45a371cbeb66

SHA1
4c4fb77f9522e8522430cffd336df13605868595

SHA256
7bc059a0b261ba9700fc0e81e89ad642e9666663ec362e97c95661ecc032d841

SHA512
62e278515bb69466035e17b7bf909ef92b25903082c11904903b2caba60cc9febeb7d14e6e60ea6127956d396a5a313c8d06b6bfd97548d7252cd75933884253

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
60KB

MD5
9df8b362a0659e5fbbe325d86b03b278

SHA1
e7959ef9ce1246a9da8d62ac856c639705084038

SHA256
9c13f533aec260def3d40c59e0d9e7976385e3ffa224b13b8b5bdd82bcfc9330

SHA512
48d5ca1ccc342693e4cea0b7754ded3f4db55340abfb4030b41f1f5fd04222b5def9a14dd9329c212d2fb620e12e04bcf8c530a842d2fdb15a3823ec28b10573

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
60KB

MD5
74ad78a0325239c92efe98aca97ad2bd

SHA1
f1dd433acec21016061308bd86e4e35390bd7121

SHA256
fb5cffd6513ddc5ff0f48c10538c437dbe409285c5f4abf66e498d00a52a6003

SHA512
e5b7a2788470de22fc8f8bf3c8fd10a4ee13891c1ca36a4ba40b1c5e7274911c07c44d7fd84e7ad33c9b10c286f0be1f763cf5da247e2c10fbeaa381df3659a7

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
60KB

MD5
19aaf5f6399ba17931d00d82c74b93c9

SHA1
40869e5017caba1a001dfedc31d9847107956c92

SHA256
8588098f75599cfa3079b0e0a76da9da13b66fae9bcd59af3c7e97cf47d90956

SHA512
c5fda2d42c6dcafa6fc0ae64dea535a75b728d2f8c1ea19dc41e8d0bac063498d82aad032c495df479dc112cc3c327d35136b665a4b28e1368cae42c6af46dfe

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
60KB

MD5
3dbb2e10ad115f1fb9068b3e6129eccd

SHA1
b64219156b823a251f7bba21d0f219079458efa5

SHA256
f8923ccb58d4ad8c50d7cb9df1ee3ddc954624a55bd37d1866ec5fa3aa976ebd

SHA512
ff0b5fdb66a7d1a260a990bddf4dcfe74ce4ba3eb3e33a78c9b6a7fc3eb6d105bbb23474467485d5d51c77ef74e9dd9cc95dd3685034a14f12b8b84d43be6522

Download Submit
C:\Windows\SysWOW64\Gidphq32.exe

Filesize
60KB

MD5
3405138e7c2022cbb6e1e1668a2f5cd3

SHA1
63c5e248f7d122c59a273e8645e1d85cedd05f4b

SHA256
5e946dd0a5111238bb983ac0ea4606674cc10d460aa9c7ab3c002648ac48ac4e

SHA512
2418e69aa32db3ef8451dba3055da025488bcf3f646dd25009260b08ff900bcef473bf647aa8f9d9f240f5b5d90b1eb32dd4445bc03ae613d7d51356b678eaf6

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
60KB

MD5
9a6ab97fa5762b684154dce9436e01e5

SHA1
4dbfa6347a44110c283a4cb010f372df691425b8

SHA256
a25ec5ce873db385669776d2222e58e0021d125cb4985993e72fbbd49227e061

SHA512
7534c533c8cb6e8e4b693c761e4398f6015b7a5a454e2c41d57a6c448709c259bd943270edf35a623ad9f6afa9f19952f2027b436f545a8fff7a39216372e00b

Download Submit
C:\Windows\SysWOW64\Ijkljp32.exe

Filesize
60KB

MD5
093ade48865b62b3038cd6a2fe3d4491

SHA1
dba4ae650dd596675f0e62ecdbc9e6a2c2f4ef6a

SHA256
34730b0d0553a63ad6b6364241caa19003af19867972738faffb454fcdc01113

SHA512
d4c5746d34284b03d0dd2a3f4e4c4a4e41870f7af270aff83a0553c95465abea3c4190003b997177180a6095fd1d8fa114661b0c3d1246e84e91c87becb706d6

Download Submit
C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
60KB

MD5
2e46ea0498d06b346c16a1b9ce86662a

SHA1
789987119e73e831cde81d0fade484a6c9c00a82

SHA256
2866089e817b4f8a7377afae251da71b4311dbc9889f31e8c49a482331121011

SHA512
38cc988f6d55e30627091c8db62bcd9bc960ee62b59b0acee824a95564c443010844d6327e6929a684b5d9f1627aa0bd0f52b50bcff3ab245d1c3295853b4b5e

Download Submit
C:\Windows\SysWOW64\Kkpnlm32.exe

Filesize
60KB

MD5
9c108bde82732217f64b6f741b697303

SHA1
5c7fa2d2b5fd5407b2a32696fccc902f22dd5d52

SHA256
219b09e72e7e5834df81f866a1b9517bf8911f56e422d4ced158131f6cf98eb3

SHA512
67aaaf36118cff0445c29394fd9b820c0ae65c5518ebc9eafae1f646c3ff492844d711b825a9dfd33e3b72a289d3a405e1b66278b8ec2ebc1b76bb763497572e

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
60KB

MD5
68b91d0fa5acfd7872d630beaad0a940

SHA1
3ebbe875a71fb25d14705f32cf4386e9f10c20d0

SHA256
09a8b32f44e8fa0f0dbb8b7e392365a7fba1d8d7b4392850204db531620e67b4

SHA512
57c3aaf2545c1d8a6ebec77d2586d3dfca287aae03242bb89440159427340df83376f638a46f2164c9623a7cce1eb26ef73c8a74d55ab012cdfc5bedf96982a4

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
60KB

MD5
c6af0da620d939c73e74ec38bf71d7a5

SHA1
0e5c45484c226f209e50f519f7773af6ad3695e1

SHA256
af588bad84df710095572145b0b99c0636cc0a0be1755f98910588784a792892

SHA512
1c08067769317bca1e742b86acc8821e604333382076cf5c0ba5a5900799cfb858b23805e45491ac6c00557a060d0af8ed3ca8d2860cf4478a6126a602cadc9e

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
60KB

MD5
a2d3dd4e8192d194d81609a4dc647244

SHA1
9ff0de7a64150615b010895a057f76044a648d0a

SHA256
4ba2c44c783b736bc046190a57baaf61294d4c3d2c34ea01247c0f76be52ec37

SHA512
b1f313589e89ffeb295de77e1ac7778f2dc6c8f4487c11add8e3781fab43a048f47ec3fa312f2bb46f2051763e2813d785666944c04085d32f5615768d46a6b8

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
60KB

MD5
f419f80b27fd709b056eadd0b7eed583

SHA1
e7da7a8ba6cf7f10135dfc57433d55fc199a78d1

SHA256
9cb6ccfeb15f8df9b755768919d4237b84e642746142a0c5d037c682b4d07191

SHA512
4995991601de12353b25e2d7c7e0901b3268715a83d579d2bd7e73d71c8ae20e5e49178f25655dc61313a8fbe8f349d1e2b633a36086059f408e3bd75000c362

Download Submit
memory/116-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/208-339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/208-396-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/220-279-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/716-150-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/716-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1424-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1424-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1424-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1424-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1436-321-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1556-363-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1624-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1624-327-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1780-374-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1784-243-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1784-163-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1832-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1832-124-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1880-166-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1888-385-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2140-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2140-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-158-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2208-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2208-345-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2456-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2516-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2516-209-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2728-193-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2840-291-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2840-219-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3092-184-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3228-259-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3248-257-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3328-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3328-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3332-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3332-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3376-357-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3576-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3576-49-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3736-142-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3736-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4060-37-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4060-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4208-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4256-351-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4304-333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4316-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4316-297-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4508-106-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4508-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4724-97-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4724-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4732-285-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4732-210-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4844-238-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4844-308-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4992-123-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4992-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-201-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5108-191-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5108-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads