bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571

Resubmissions

16/04/2024, 01:46

240416-b7cx4sgb8x 10

16/04/2024, 01:40

240416-b3h9bsga7v 10

Analysis

max time kernel
94s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe
Size

80KB
MD5

52e59a3f50af9bf76936e7e7f682afaf
SHA1

8d9e6bd2afb90bdc5a7a5f0c73fc6222cd4ee99b
SHA256

bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571
SHA512

726409abf756e37d4ef9eafae7a4e828d7d120584fd23773be81e51300fe2a46b0db1f4d85550afe02e121bfa469cdbe0b4780b8dee54e1c39d80bf63eca114c
SSDEEP

1536:nMXLXQ2VEmF/QncOw1CCbhgOLzDfWqdMVrlEFtyb7IYOOqw4Tv:Is25QcOwcC6+zTWqAhELy1MTTv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elagacbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpjmee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchiaqjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dllmfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doccaall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlgdkeje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cipehkcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elagacbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cekohk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdbojmq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceibclgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpofpdgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe

Executes dropped EXE 64 IoCs

pid	Process
1476	Caimgncj.exe
1580	Cipehkcl.exe
3552	Cpjmee32.exe
348	Cchiaqjm.exe
1160	Cefemliq.exe
840	Chebighd.exe
2080	Clqnjf32.exe
2940	Ccjfgphj.exe
1424	Ceibclgn.exe
2684	Chgoogfa.exe
2288	Cpofpdgd.exe
4652	Ccmclp32.exe
3176	Cekohk32.exe
4712	Dlegeemh.exe
4196	Doccaall.exe
1060	Dabpnlkp.exe
4584	Denlnk32.exe
4804	Dlgdkeje.exe
4660	Dephckaf.exe
3904	Dpemacql.exe
1428	Dagiil32.exe
2092	Debeijoc.exe
4848	Dllmfd32.exe
2248	Dphifcoi.exe
3184	Daifnk32.exe
1068	Dfdbojmq.exe
3208	Djpnohej.exe
3984	Dpjflb32.exe
4128	Dchbhn32.exe
3308	Efgodj32.exe
3916	Elagacbk.exe
3264	Efikji32.exe
4880	Ejegjh32.exe
540	Epopgbia.exe
1964	Ehjdldfl.exe
3564	Eqalmafo.exe
4832	Ebbidj32.exe
1164	Ejjqeg32.exe
628	Ehlaaddj.exe
1940	Elhmablc.exe
2280	Efpajh32.exe
4072	Ehonfc32.exe
4792	Emjjgbjp.exe
1372	Eqfeha32.exe
3476	Ffbnph32.exe
1112	Fhajlc32.exe
532	Fcgoilpj.exe
2476	Fjqgff32.exe
4568	Fmocba32.exe
2124	Fbllkh32.exe
4192	Fjcclf32.exe
1312	Fmapha32.exe
2264	Fqmlhpla.exe
3460	Fopldmcl.exe
1784	Fckhdk32.exe
4836	Ffjdqg32.exe
2456	Fmclmabe.exe
1248	Fobiilai.exe
2256	Fbqefhpm.exe
4136	Fjhmgeao.exe
3288	Fmficqpc.exe
5064	Fodeolof.exe
4624	Gfnnlffc.exe
3600	Gimjhafg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dchbhn32.exe	Dpjflb32.exe
File created	C:\Windows\SysWOW64\Lpdcae32.dll	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Hdgohg32.dll	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Cchiaqjm.exe	Cpjmee32.exe
File created	C:\Windows\SysWOW64\Ddphck32.dll	Cchiaqjm.exe
File created	C:\Windows\SysWOW64\Hofddb32.dll	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Fmclmabe.exe	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Iblilb32.dll	Fmclmabe.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Ipldfi32.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Elhmablc.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Fmclmabe.exe	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Dephckaf.exe	Dlgdkeje.exe
File opened for modification	C:\Windows\SysWOW64\Dephckaf.exe	Dlgdkeje.exe
File created	C:\Windows\SysWOW64\Dllmfd32.exe	Debeijoc.exe
File created	C:\Windows\SysWOW64\Efgodj32.exe	Dchbhn32.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Hikfip32.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Clqnjf32.exe	Chebighd.exe
File opened for modification	C:\Windows\SysWOW64\Chgoogfa.exe	Ceibclgn.exe
File opened for modification	C:\Windows\SysWOW64\Debeijoc.exe	Dagiil32.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Epopgbia.exe	Ejegjh32.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Fjqgff32.exe	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Jcgaen32.dll	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Nigpemda.dll	Cipehkcl.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Efgodj32.exe	Dchbhn32.exe
File opened for modification	C:\Windows\SysWOW64\Fmocba32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6720	6484	WerFault.exe	289

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddphck32.dll"	Cchiaqjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmljla32.dll"	Ccjfgphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knceql32.dll"	Dllmfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chgoogfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dephckaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfdbojmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgbbq32.dll"	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epopgbia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cefemliq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaokiafg.dll"	Chebighd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clqnjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1476	1912	bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe	85
PID 1912 wrote to memory of 1476	1912	bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe	85
PID 1912 wrote to memory of 1476	1912	bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe	85
PID 1476 wrote to memory of 1580	1476	Caimgncj.exe	86
PID 1476 wrote to memory of 1580	1476	Caimgncj.exe	86
PID 1476 wrote to memory of 1580	1476	Caimgncj.exe	86
PID 1580 wrote to memory of 3552	1580	Cipehkcl.exe	87
PID 1580 wrote to memory of 3552	1580	Cipehkcl.exe	87
PID 1580 wrote to memory of 3552	1580	Cipehkcl.exe	87
PID 3552 wrote to memory of 348	3552	Cpjmee32.exe	88
PID 3552 wrote to memory of 348	3552	Cpjmee32.exe	88
PID 3552 wrote to memory of 348	3552	Cpjmee32.exe	88
PID 348 wrote to memory of 1160	348	Cchiaqjm.exe	89
PID 348 wrote to memory of 1160	348	Cchiaqjm.exe	89
PID 348 wrote to memory of 1160	348	Cchiaqjm.exe	89
PID 1160 wrote to memory of 840	1160	Cefemliq.exe	90
PID 1160 wrote to memory of 840	1160	Cefemliq.exe	90
PID 1160 wrote to memory of 840	1160	Cefemliq.exe	90
PID 840 wrote to memory of 2080	840	Chebighd.exe	91
PID 840 wrote to memory of 2080	840	Chebighd.exe	91
PID 840 wrote to memory of 2080	840	Chebighd.exe	91
PID 2080 wrote to memory of 2940	2080	Clqnjf32.exe	92
PID 2080 wrote to memory of 2940	2080	Clqnjf32.exe	92
PID 2080 wrote to memory of 2940	2080	Clqnjf32.exe	92
PID 2940 wrote to memory of 1424	2940	Ccjfgphj.exe	93
PID 2940 wrote to memory of 1424	2940	Ccjfgphj.exe	93
PID 2940 wrote to memory of 1424	2940	Ccjfgphj.exe	93
PID 1424 wrote to memory of 2684	1424	Ceibclgn.exe	94
PID 1424 wrote to memory of 2684	1424	Ceibclgn.exe	94
PID 1424 wrote to memory of 2684	1424	Ceibclgn.exe	94
PID 2684 wrote to memory of 2288	2684	Chgoogfa.exe	95
PID 2684 wrote to memory of 2288	2684	Chgoogfa.exe	95
PID 2684 wrote to memory of 2288	2684	Chgoogfa.exe	95
PID 2288 wrote to memory of 4652	2288	Cpofpdgd.exe	96
PID 2288 wrote to memory of 4652	2288	Cpofpdgd.exe	96
PID 2288 wrote to memory of 4652	2288	Cpofpdgd.exe	96
PID 4652 wrote to memory of 3176	4652	Ccmclp32.exe	97
PID 4652 wrote to memory of 3176	4652	Ccmclp32.exe	97
PID 4652 wrote to memory of 3176	4652	Ccmclp32.exe	97
PID 3176 wrote to memory of 4712	3176	Cekohk32.exe	98
PID 3176 wrote to memory of 4712	3176	Cekohk32.exe	98
PID 3176 wrote to memory of 4712	3176	Cekohk32.exe	98
PID 4712 wrote to memory of 4196	4712	Dlegeemh.exe	99
PID 4712 wrote to memory of 4196	4712	Dlegeemh.exe	99
PID 4712 wrote to memory of 4196	4712	Dlegeemh.exe	99
PID 4196 wrote to memory of 1060	4196	Doccaall.exe	100
PID 4196 wrote to memory of 1060	4196	Doccaall.exe	100
PID 4196 wrote to memory of 1060	4196	Doccaall.exe	100
PID 1060 wrote to memory of 4584	1060	Dabpnlkp.exe	101
PID 1060 wrote to memory of 4584	1060	Dabpnlkp.exe	101
PID 1060 wrote to memory of 4584	1060	Dabpnlkp.exe	101
PID 4584 wrote to memory of 4804	4584	Denlnk32.exe	102
PID 4584 wrote to memory of 4804	4584	Denlnk32.exe	102
PID 4584 wrote to memory of 4804	4584	Denlnk32.exe	102
PID 4804 wrote to memory of 4660	4804	Dlgdkeje.exe	104
PID 4804 wrote to memory of 4660	4804	Dlgdkeje.exe	104
PID 4804 wrote to memory of 4660	4804	Dlgdkeje.exe	104
PID 4660 wrote to memory of 3904	4660	Dephckaf.exe	106
PID 4660 wrote to memory of 3904	4660	Dephckaf.exe	106
PID 4660 wrote to memory of 3904	4660	Dephckaf.exe	106
PID 3904 wrote to memory of 1428	3904	Dpemacql.exe	107
PID 3904 wrote to memory of 1428	3904	Dpemacql.exe	107
PID 3904 wrote to memory of 1428	3904	Dpemacql.exe	107
PID 1428 wrote to memory of 2092	1428	Dagiil32.exe	108

C:\Users\Admin\AppData\Local\Temp\bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe
"C:\Users\Admin\AppData\Local\Temp\bfb35db31171eef4eb189998435718cd430cd0fa85bc4523c3f083a5f7eb9571.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\Caimgncj.exe
  C:\Windows\system32\Caimgncj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\Cipehkcl.exe
    C:\Windows\system32\Cipehkcl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\Cpjmee32.exe
      C:\Windows\system32\Cpjmee32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3552
    - - C:\Windows\SysWOW64\Cchiaqjm.exe
        
        C:\Windows\system32\Cchiaqjm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:348
      - C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        26⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3916
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        33⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        36⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        37⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        41⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        42⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        45⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        50⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        52⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        53⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        62⤵
        Executes dropped EXE
        
        PID:4136
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        66⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        67⤵
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        68⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        69⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        70⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1720
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        72⤵
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5004
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        74⤵
        Drops file in System32 directory
        
        PID:3348
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        76⤵
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        77⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2344
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        79⤵
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        80⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        81⤵
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        82⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        83⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4376
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2812
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        86⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        87⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        89⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        90⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        91⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        92⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        93⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        94⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        95⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        96⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        97⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        98⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5740
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        100⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        101⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        103⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        105⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        107⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        108⤵
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        109⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        112⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        113⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        114⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        117⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        118⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        119⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        120⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        121⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        122⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        126⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        127⤵
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        128⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        129⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        131⤵
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5664
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        136⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        137⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        139⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        140⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        143⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        145⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        146⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6244
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6284
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        150⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        151⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        152⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        153⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        155⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        157⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        158⤵
        Modifies registry class
        
        PID:6712
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        159⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        160⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        162⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        163⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        164⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        165⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        166⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        167⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        168⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        169⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        170⤵
        Modifies registry class
        
        PID:6204
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        171⤵
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        173⤵
        Drops file in System32 directory
        
        PID:6400
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        174⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        175⤵
        Modifies registry class
        
        PID:6536
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        176⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        177⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        178⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        179⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6892
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        181⤵
        Drops file in System32 directory
        
        PID:6944
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        183⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        184⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6220
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        186⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        187⤵
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        188⤵
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6804
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7016
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        193⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6180
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        195⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        196⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6796
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7040
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        199⤵
        Drops file in System32 directory
        
        PID:7164
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        200⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 400
        201⤵
        Program crash
        
        PID:6720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6484 -ip 6484
1⤵
PID:6532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caimgncj.exe

Filesize
80KB

MD5
a5719116dd14801fae46d4ad7fcd5c90

SHA1
a31681275506d1620cdf97f5c1c7a8c200473bf1

SHA256
1eabeec6b2f809a677df2f45f817288e1b7cdc86e41b53b1545a7259f12ba189

SHA512
f85cbea4057da3ca27d5bb6e7310522e4b27f6e6bb480d21cea5bd29b160bbde5715799ffe303e184b9b4272e05e6ffb40fabd0c995402e627d39b58617b575d

Download Submit
C:\Windows\SysWOW64\Cchiaqjm.exe

Filesize
80KB

MD5
3f64db18f1ce1665119aa07db89d41c5

SHA1
b08260c230b5fe9b5f79b2aa1959680fe3171f84

SHA256
329d411656377e74eb7926eda8a655234bccd59209f5d761f860f8b6cfd15e98

SHA512
8ff4679b6f8c45de4cc54619297da823cf578cd10b93b054e0e2d281bb6217de2e44f368de3c3846615f4aedfbd74b7f8fbf6503132ee2a4da64148e02b1f448

Download Submit
C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
80KB

MD5
73fc8d84caf5e6a2c24be78696f58bee

SHA1
7f76417b6e9c1c11c075425152ec1994c66c93a8

SHA256
c9190228b2b554c7dee21189ec495a817e31c0e3634836ee2e92dbdbd1a3a9dc

SHA512
e0ce8cc049e050503e8fc0000c6f84359d9e33a90cdceb03d849780ffcad9a24266285133906909c9ff94b603751e04e92f8df3c125863def41d9c468baee0ea

Download Submit
C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
80KB

MD5
4213e83d49f306b4c9b35f4d64c7e39d

SHA1
9901f4e9eceba978dff902d10986e510ec5704ab

SHA256
640a542cd6c59007d87d784dfbcf56ce3226f82498d5fd3d4e9236210f2d7e8b

SHA512
52ef924c0ff5efed71f40e6f8d59df7aab4b7b23fee20f186e97947063d4735d21f32b244e549eae8ff7b46c250c1e22581aa325d5486160cd840b2806dc6200

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
80KB

MD5
bae29a8c9afd561be312de7d9bb1ce69

SHA1
04c8d0c3f48cf3949aad1cc01e847939691a5475

SHA256
ec6a8f782ceff8883517fdb6df9037492aab33ce196bc1f0a3ba7a77d0bdec3a

SHA512
0778abdd44e778d9553de9bd0d2fa0f168cdfdf135bb612c84b180c1ab196e1cf641d076d433cf951269645abeb9fba2231d729088236a9f1de28bcb252e33a7

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
80KB

MD5
5613552f150f5871571c7aef73995422

SHA1
18e338010c2a9d581836c4d64be2b21720629034

SHA256
2e3d1fb5d229cecb4747a6714ddff329fb0c0066f1b2c328c9f3c3d4a40d2141

SHA512
b3172e2868688cd88950de9f17d0e1e7334c0beb8611bff2bdb806e4f236dc4a61d75f9a8a95e9257c9eaa65ab3d0bb975ac5c1e9daa6196d758810cb7271aea

Download Submit
C:\Windows\SysWOW64\Cekohk32.exe

Filesize
80KB

MD5
ae444a55b0be3de5b21b871f5c594018

SHA1
b3388d726b84f8e584f4273a00b848316f56fd18

SHA256
ca6a7e2fca72c0d15cf4bf336a58efcd2029a2daa04b0c0e1a0bebbe51997a24

SHA512
960166fb7e1863b2682c0e17dc484e789efea27debe597b5a52be692bd07cf5894d0bce2bcf998d8bc5d6df70fac2a4134bebef840b7248479100885bb3b6501

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
80KB

MD5
4e9583a43b862ac2f97dfa38a2eab0f4

SHA1
0f6982d034196f401aae88c63b9e50624e657f23

SHA256
fe169a8bfdc73169af40c050d88ddd03f6870c7f7bafd29be59292215ca1c58c

SHA512
50bd1f1603bdc3b7cc4e6ba2c23589583a426606df01aa2cff3d617f6a16336e07b3fba396b01dda686ed6ed23ecf6bec98286949d6693bf5b66de782b66c57f

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
80KB

MD5
3d1375708a95c117f4d76c6376d104d8

SHA1
896ce4ba0fe0e88db6b71f648900ec9de5e49c4e

SHA256
90d1c72dbfe668054c960e72a3b07e8d3711a679c179cf6b07d2a005e46c0555

SHA512
e11241476533073ae07c5f03fd053e6b6c896e3b21c23d50df682df9ce2f1606898c888e1a4f0a68fdfc9e25614c22dd1a659cf1fc62d9418b82542f3fa887f4

Download Submit
C:\Windows\SysWOW64\Cipehkcl.exe

Filesize
80KB

MD5
be93b24ce723f4a0929f457f21ab26c7

SHA1
8659d5bd57b963277a00410732540594fe82039b

SHA256
3b9dd92b7cc1707e6ffdb3ecdf618cadc8283201b6e922ecabfbd63b68a07a58

SHA512
0f37fc9cc65990e14f6e4e90a22ad12c5c65227935509b1fc2be0d41a86c64e21a30da424f16e774decbd9cc04163ad47fd4e8a432196abace131111399a1856

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
80KB

MD5
cf7b3c32d42d493ca5d5e3586cb49a88

SHA1
964473f6ae5ca253c0edb7e5a4f657b905247c19

SHA256
49378feb17d8b76b4b90f5ac3c5351396a8cd190f73f348351bd409614ba96b5

SHA512
b91ad73f394cae3f3f9a6423c367cbf6f20e14a3b4553aed370a4d1137c15cc2aba44c805122bddb85f15d311a28bcc608e061f06f604e55753616339357b5dd

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
80KB

MD5
e40fb0a2c759527bbea5934db294377b

SHA1
bf9a1f4a1a5fbdd846c386b395947f6e5f9fd199

SHA256
903965086a0b2b49fd594828f69aa73ba1867a5594f03f8dfecba1c39aa51faf

SHA512
bad80485c12a7b205fe1443d8416df861397ba890c6d55d068ce079694a45a7fd4f81950a190e14e74aeab2f8473e751426cde5c092d26793630e1649122bea3

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
80KB

MD5
65725c60ed4f510c446adf6b170b5286

SHA1
a456b9e6e41510af8c87b715a87beff61c2c49ad

SHA256
92cfc51362fa20b72fda3a43813634592f349e0bd45b8bdfeb8b21efd57ec06e

SHA512
32cba04f56c4f68dc4181591b35e856084eeb48fcd5334188ac0424a20856c40527adf424a3b7399e2e9f6dbd74e8c8aa58d7e52eda5e1622952db629cd17310

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
80KB

MD5
6c475831732eac997c615049acff8822

SHA1
909098efaf8ba6fc8c088329ffc7f3137d7935d7

SHA256
ba999bb7b5ead13ee788aa98825225ab37eecf7a6620e764f66d803d70f4ce10

SHA512
457f23cb8b1e9447969a4db4b7517591242b9b84287295b34b17ee0858923d2ae84811bad17f09a92262b5a5c7237647479feba509c797045d2971f55f748ae7

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
80KB

MD5
055ae4ca0262981cb0a81dfafbb1871c

SHA1
0c90ae0e7dfa4cf243eebe57ec4719abe0b1eaf7

SHA256
215888ca573b66988c95b7b7cd8f87d2b7dfa8156aa596720008d98eada7c123

SHA512
e1660bf416fa55c9f071fff6d86f95edfbe96ea4987c8e40775a120b1f810a0dccccbdf7a27cb3423ec3c0b270add1a1c663d96d3afe440aacb6d4399d880644

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
80KB

MD5
d475a4dd477aac6ac0d7c95f04c6d38d

SHA1
b4823511da22bcfca9a7513cb287ef7fa62a8c4e

SHA256
a15369862bc3e043802515a82f0d26b63740c93cc9569cc21305e224cae5738d

SHA512
41b3394ae75d970a5954baed04993bfd6d55cfee0fa2a6767ac9cfd715ccb6745aba746efb212291d7d8275972dfbd4af04c080583922dd48792fa7503cb4c4a

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
80KB

MD5
921b618fc7a8a10281529a36b339a081

SHA1
c4f60ef6ba9e9ed51cac49f0f2cfab1cb888aa6c

SHA256
5170b73088423de9bb0757b04610b559bc88f9b855f82137242f3582d5065744

SHA512
9dab3ba018144a55ec9719ff90ef68a0cae92c8952dbbed72b5cbb42cf4f966e0674afaea99e53dc4740f07a10ffd36f2730624abcb0f76e39f45d42f3f0a39c

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
80KB

MD5
c25a64b130796e5749a5b0baf5465962

SHA1
5063cb2d65a84a60d50ab3b5f5fe0f5afb13ab75

SHA256
20678e683c7b93617f8e5ac91032bba87bf1a07b785e0f44085bd0d09b6c34bc

SHA512
89bbc3f81c1f69bf75694fe42f439ab5c6d98c532e28e709a4561d197fb2705427409c4ecfdee5914205fa724f4b22481eddf5aec3f372bee19bcfc4e8770cd5

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
80KB

MD5
caa7f61605266ea8092bfda7dd1782f4

SHA1
bc0715383ac46f143757a4d5ff38cba575d47800

SHA256
fb52b77259a2c9e3afeb4e9c9e61981d815c2c2fc06f9489cda26408956980fe

SHA512
891cd5a7144385674f677d8b6541963d42d8422deb7d48b0006704a86e1996094511e83ecd842ec381d58936f4e92d2281f9270cd7c6f6bdbd5cb8776eafa3b1

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
80KB

MD5
df970440c139241bafa89f0dd0681d7b

SHA1
4364c4c7352c95a62aae262ce88bc3ddf8dda1b2

SHA256
2eddb71d03c90aebd3d6ce16e48320f7cc92c31a57f7ac22475bc691c09393c8

SHA512
827c025d7abbd6a649a95b4d61f71ca196f157a2f6a33096f7af500b3efbfba6b2471be9a93ae301ed6f60d6ec10cd5b08a71c78bead304e40a583f33bbdf2c2

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
80KB

MD5
75a96150ad2421531137cce724fb2923

SHA1
fc8a2af292ea976a0be8c4f7edc39f2ade87dcc7

SHA256
69936b6cf103d9f28d2eb19be3db8cc19235eb7d235f1e178a5577be1b4297b4

SHA512
796115fbe94da482952cf2854f7aff8e44eaa8fe4bf861d70125247856251686851f6dc4dcf46a408c640fefb13fa9bc9d2c79c752813d59fae5e58918ea4519

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
80KB

MD5
b973b3fbe93c2c1ce1820e68ee0d696d

SHA1
889e39a4218b9a623642b60f3258125628e8cfe6

SHA256
5adb9dd9ee24e7fd777c6478ff9c33e7abf5f43552a13f069e73e10b404d0f4a

SHA512
6eea6db87d9bcbc9e37de4f8c3e0a6ff582604772f662b112a8c5710cd6cbd34746da4af8e1b4fd3ae76255421c8b85c6aa7ba784ec2c4f746509a44878c8a5b

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
80KB

MD5
c60b0dda053e3ceec2bfe255ace9bea4

SHA1
962db8ac236d922e1c99b59bfe407288f480e815

SHA256
888b1093bcf11f03a37650fa173206c9411a77342f234b49ec29a2580e34f0f3

SHA512
73d59d381d84f3125d1d3d22aedb346c2074f666ecf9796488ad16768b27f6367ca9f68a1f78cd3667e4a65d97f1c8fafae2fcc96dc682fd5b058303fca102a4

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
80KB

MD5
26434ae6ec4e0456b4fd334d310d5ee7

SHA1
3be9bd6f9b8706c861c08ad382951f30f648a703

SHA256
efdc3750d3545a904fe4f19c035ec45d4a3bc231f855df90338fdfa0fb23fdc6

SHA512
e5c2293d2894393365b67a0c01dfd356632d7759a40aa0acf22f48c57650021e1fea648242a891132c77650b40b503c74e16a3e5337cd2f4e62565763bc69889

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
80KB

MD5
5b4df767408ab80410847241f19efc4b

SHA1
70014abfd6d96a50594e6d9317530ef9ea488d09

SHA256
92740114b001699191b79e4e8d0ae8786e08a220b772489ea2d06f859ef27b77

SHA512
a2f965fb8cffe1f13faa4b5a5f87218d759a8ff9b0ebce5eee463d6c850449268b100ca4a798f7dddff3311d4f0b1d2dee819e4eed029b4222430ac0c2364490

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
80KB

MD5
83f7e1c8173366b118f0ea8ae6defb2d

SHA1
2d62dd561e12d4416da0d7808be7e79dfbd15a52

SHA256
302f85a4ac5fbe43317ad6ab3c0055bfcd6140f1d37536e10378e4ac3a9b64c5

SHA512
a4c16dc084d3daa70aabbda54de6b5b36e0e59163402446b78c816810931175a95d75c186ff1c21ea4081e317215215cb97284764d9e6d361f21f0c00a5b4a23

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
80KB

MD5
6a11acec3f666b7df4393fea10943ae7

SHA1
1020350cfe4bc4d88f18c7391470b37e493f8596

SHA256
09a54cda460bb318e228fcad344716502a771611882ac8510a5157f326ed7767

SHA512
4910dd76726bb19e654cf273c48ac3ecdade599633b72b838ede2bdbe39a4e35c6cfdf88ce8190d60d388199b3676897e8563ffc88148f8024cd4753b0882297

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
80KB

MD5
d58b2908957e06865b4896ab791f0449

SHA1
270b75b4c04c20abcf45581f11939bf693fff594

SHA256
e87af05f259f7026f5682b3fc7c3e489a2996ae3e58cf7c9720b3d73004f575f

SHA512
c63b6c31bf353a966c587cc688ed29d39954b8d4f3c418457a78ea5a58be6a4e06514037089aa6b2862446fa474cde92a6fdea578a647462b54ea677f4eed69b

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
80KB

MD5
b0740c03768e4cbfea47d0ec603030a3

SHA1
4b4e248a275f62dc3e8c139ba34d0fe38af9712f

SHA256
b1f37ffa269d75ba8ffec90d81c99bdc77bd21226865a14c66a07f010a203443

SHA512
22a5f0c4469e52417de94dd14672e3ab5d7763f2df54a812fcce89a30475b17cff952818e1c5bb03f811c32553bf36183e408c943fba0f6704f2d48321932183

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
80KB

MD5
cbed641af819228e9018c2a4ba938652

SHA1
ef5d26e67ffba1a8942f93e294110e07ac9f25be

SHA256
e0a0cfaeb373fb29d0205b638063c6e2b814a5054570605bd1ce30e08692950a

SHA512
66ab6c79478de504098cd999bab4485796a06da5659699368a678d6036d38b0d8116b9bfdd352b9491be89fb73494275eb96d558f566cad9b79ab46ef13f8716

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
80KB

MD5
9d7717af7becfaebd730c942761c6b68

SHA1
02f19e0e6ff224ac6272c014f6b44b041ebe551d

SHA256
95c84d02fac05819a1bb131cdd98cc60b93dff4000c22cfd56db1ec956be1edf

SHA512
f48ff07d4221114d876d081cadd63fdd37e1fd8c31e1fc9a9e9c4c6e6fbbf00c23944044160dd741f3c8865025aa59d02b680fc7339c22188b7a8d04dbc22962

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
80KB

MD5
199be6907f7221f6391e2e3f36eaa3c9

SHA1
bbba859ed846fa2766ee2ae63950bdb23bf8a385

SHA256
4241cad85b0720c56d22098243a1b9dd331ec4e5e28ed5554f9461bd7f10fb03

SHA512
7433c65ff3c4a5f103199a76cf008d9a3e68e2ca7bd41c10d7df85c48899b45eb263ee5c6b6cf0f20b6fd0a5326b4940ede09d278a530ad3842f58e3d9d943f6

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
80KB

MD5
e25dd47ae492d35dfe0e37247fb18212

SHA1
4674433d816bc8e75c3c13c46a595d269c0140e2

SHA256
7249654dbdc3d4301c185d184a7b77f29e1b3f3e367ce76827401728cc131113

SHA512
ff54188eebda13e686dbc7c83de05416a785cbaf0aa8e5cba27e7df38b36f0320c5ae53de093cdd045ab3a9bfc33d18619b242770dbd67dd1619c5d8454c7211

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
80KB

MD5
9fea3c7eb02aff4e11b7bc964723de57

SHA1
c9bbddfa6737e228598cc1ac21eb7b1f1d871e17

SHA256
e113de701a99bb80918a261592d6b7ca3e9f913d391c5481634c1830984ef83b

SHA512
84de184824c0e7e4c35d5dc9c195c9d78546bfcdb6b2f61611c6d7539e52acf549b354394d66db890b098da8094f5a23e35f7cda90eb276b8aaf69bb9230969d

Download Submit
memory/348-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/532-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/540-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/628-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1060-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1068-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1112-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1160-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1164-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1248-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-378-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1424-77-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1476-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1580-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1784-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1912-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1912-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1940-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1964-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2080-61-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2092-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2124-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2248-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2256-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2280-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2456-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2476-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2684-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3160-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3176-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3184-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3208-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3264-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3288-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3308-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3460-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3476-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3552-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3564-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3904-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3916-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3984-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4128-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4136-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4192-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4196-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4568-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4652-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4712-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4792-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4804-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4880-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads