00b21474a8c8012e672e8ec3e616476657435851af7f40b9240a85ec33c1f590

Analysis

max time kernel
93s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00b21474a8c8012e672e8ec3e616476657435851af7f40b9240a85ec33c1f590.exe
Size

110KB
MD5

bfdec0b8c7131aef87fcf53a4f0da9b3
SHA1

3102853e84c4652f1e3c2d47bf0494938b18c1e2
SHA256

00b21474a8c8012e672e8ec3e616476657435851af7f40b9240a85ec33c1f590
SHA512

b39122e8adca736e8e3ea73dd82f970fa5f5623c15b10b8335ea5a2142280f292ccc524b44609cb2b5d6ded76806f738c46180a0cfa496bd6a7608e1b685f8e4
SSDEEP

3072:Jf9LudFtJgK9Y8iwSHnDsiLCcZ6TLJiXSk6IXP:Jf9iHn9vCHnDsiLCcZfSk6k

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camfbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eckonn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djlddi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpemacql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coagla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlgdkeje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efpajh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	00b21474a8c8012e672e8ec3e616476657435851af7f40b9240a85ec33c1f590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dphifcoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe

Executes dropped EXE 64 IoCs

pid	Process
2892	Cpjmee32.exe
2392	Cchiaqjm.exe
1940	Cefemliq.exe
5024	Clqnjf32.exe
5004	Coojfa32.exe
4916	Camfbm32.exe
1532	Chgoogfa.exe
1312	Coagla32.exe
3300	Ccmclp32.exe
2644	Digkijmd.exe
4016	Dlegeemh.exe
2120	Doccaall.exe
2320	Denlnk32.exe
3844	Dlgdkeje.exe
4616	Dofpgqji.exe
2776	Dcalgo32.exe
2948	Dephckaf.exe
2464	Djlddi32.exe
3132	Dpemacql.exe
4800	Dcdimopp.exe
4188	Dhqaefng.exe
3892	Dphifcoi.exe
3628	Dcfebonm.exe
2956	Dfdbojmq.exe
1664	Dlojkddn.exe
4648	Domfgpca.exe
3544	Dakbckbe.exe
4320	Elagacbk.exe
2416	Eoocmoao.exe
3484	Eckonn32.exe
1968	Ejegjh32.exe
920	Ehhgfdho.exe
3000	Eoapbo32.exe
4928	Ebploj32.exe
1108	Eflhoigi.exe
1680	Eleplc32.exe
2484	Eodlho32.exe
3520	Ebbidj32.exe
464	Ejjqeg32.exe
1244	Ehlaaddj.exe
4960	Eofinnkf.exe
1088	Efpajh32.exe
4380	Ehonfc32.exe
3672	Eqfeha32.exe
1492	Ecdbdl32.exe
1896	Ffbnph32.exe
2196	Fmmfmbhn.exe
4560	Fqhbmqqg.exe
976	Fbioei32.exe
4932	Ffekegon.exe
1844	Fmocba32.exe
448	Fomonm32.exe
1556	Fbllkh32.exe
888	Ffggkgmk.exe
3244	Fmapha32.exe
3240	Fckhdk32.exe
3980	Ffjdqg32.exe
4832	Fqohnp32.exe
3856	Fobiilai.exe
640	Fflaff32.exe
3476	Fmficqpc.exe
3524	Fodeolof.exe
3660	Gfnnlffc.exe
3232	Gimjhafg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Lkakml32.dll	Eoapbo32.exe
File opened for modification	C:\Windows\SysWOW64\Eleplc32.exe	Eflhoigi.exe
File created	C:\Windows\SysWOW64\Fckhdk32.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hihicplj.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Chgoogfa.exe	Camfbm32.exe
File opened for modification	C:\Windows\SysWOW64\Fmmfmbhn.exe	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Gpkqnp32.dll	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Dfdbojmq.exe	Dcfebonm.exe
File created	C:\Windows\SysWOW64\Mbfppi32.dll	Fbioei32.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Fmocba32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Ffekegon.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Cpjmee32.exe	00b21474a8c8012e672e8ec3e616476657435851af7f40b9240a85ec33c1f590.exe
File opened for modification	C:\Windows\SysWOW64\Ehlaaddj.exe	Ejjqeg32.exe
File created	C:\Windows\SysWOW64\Gameonno.exe	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Gbjgbh32.dll	Eleplc32.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Dacdmi32.dll	Dphifcoi.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Ogaodjbe.dll	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Jehocmdp.dll	Dpemacql.exe
File created	C:\Windows\SysWOW64\Eckonn32.exe	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Ampkqqjm.dll	Ebploj32.exe
File created	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ehhgfdho.exe	Ejegjh32.exe
File created	C:\Windows\SysWOW64\Iedonm32.dll	Ehhgfdho.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7624	7508	WerFault.exe	306

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mepgghma.dll"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcalgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgndd32.dll"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcglnp32.dll"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbfkb32.dll"	Elagacbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceakm32.dll"	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llebfo32.dll"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfppi32.dll"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcepmcb.dll"	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogedoeae.dll"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nigpemda.dll"	00b21474a8c8012e672e8ec3e616476657435851af7f40b9240a85ec33c1f590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miimhchp.dll"	Ehlaaddj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2892	2316	00b21474a8c8012e672e8ec3e616476657435851af7f40b9240a85ec33c1f590.exe	85
PID 2316 wrote to memory of 2892	2316	00b21474a8c8012e672e8ec3e616476657435851af7f40b9240a85ec33c1f590.exe	85
PID 2316 wrote to memory of 2892	2316	00b21474a8c8012e672e8ec3e616476657435851af7f40b9240a85ec33c1f590.exe	85
PID 2892 wrote to memory of 2392	2892	Cpjmee32.exe	86
PID 2892 wrote to memory of 2392	2892	Cpjmee32.exe	86
PID 2892 wrote to memory of 2392	2892	Cpjmee32.exe	86
PID 2392 wrote to memory of 1940	2392	Cchiaqjm.exe	87
PID 2392 wrote to memory of 1940	2392	Cchiaqjm.exe	87
PID 2392 wrote to memory of 1940	2392	Cchiaqjm.exe	87
PID 1940 wrote to memory of 5024	1940	Cefemliq.exe	88
PID 1940 wrote to memory of 5024	1940	Cefemliq.exe	88
PID 1940 wrote to memory of 5024	1940	Cefemliq.exe	88
PID 5024 wrote to memory of 5004	5024	Clqnjf32.exe	89
PID 5024 wrote to memory of 5004	5024	Clqnjf32.exe	89
PID 5024 wrote to memory of 5004	5024	Clqnjf32.exe	89
PID 5004 wrote to memory of 4916	5004	Coojfa32.exe	90
PID 5004 wrote to memory of 4916	5004	Coojfa32.exe	90
PID 5004 wrote to memory of 4916	5004	Coojfa32.exe	90
PID 4916 wrote to memory of 1532	4916	Camfbm32.exe	91
PID 4916 wrote to memory of 1532	4916	Camfbm32.exe	91
PID 4916 wrote to memory of 1532	4916	Camfbm32.exe	91
PID 1532 wrote to memory of 1312	1532	Chgoogfa.exe	92
PID 1532 wrote to memory of 1312	1532	Chgoogfa.exe	92
PID 1532 wrote to memory of 1312	1532	Chgoogfa.exe	92
PID 1312 wrote to memory of 3300	1312	Coagla32.exe	93
PID 1312 wrote to memory of 3300	1312	Coagla32.exe	93
PID 1312 wrote to memory of 3300	1312	Coagla32.exe	93
PID 3300 wrote to memory of 2644	3300	Ccmclp32.exe	94
PID 3300 wrote to memory of 2644	3300	Ccmclp32.exe	94
PID 3300 wrote to memory of 2644	3300	Ccmclp32.exe	94
PID 2644 wrote to memory of 4016	2644	Digkijmd.exe	95
PID 2644 wrote to memory of 4016	2644	Digkijmd.exe	95
PID 2644 wrote to memory of 4016	2644	Digkijmd.exe	95
PID 4016 wrote to memory of 2120	4016	Dlegeemh.exe	96
PID 4016 wrote to memory of 2120	4016	Dlegeemh.exe	96
PID 4016 wrote to memory of 2120	4016	Dlegeemh.exe	96
PID 2120 wrote to memory of 2320	2120	Doccaall.exe	97
PID 2120 wrote to memory of 2320	2120	Doccaall.exe	97
PID 2120 wrote to memory of 2320	2120	Doccaall.exe	97
PID 2320 wrote to memory of 3844	2320	Denlnk32.exe	98
PID 2320 wrote to memory of 3844	2320	Denlnk32.exe	98
PID 2320 wrote to memory of 3844	2320	Denlnk32.exe	98
PID 3844 wrote to memory of 4616	3844	Dlgdkeje.exe	99
PID 3844 wrote to memory of 4616	3844	Dlgdkeje.exe	99
PID 3844 wrote to memory of 4616	3844	Dlgdkeje.exe	99
PID 4616 wrote to memory of 2776	4616	Dofpgqji.exe	100
PID 4616 wrote to memory of 2776	4616	Dofpgqji.exe	100
PID 4616 wrote to memory of 2776	4616	Dofpgqji.exe	100
PID 2776 wrote to memory of 2948	2776	Dcalgo32.exe	102
PID 2776 wrote to memory of 2948	2776	Dcalgo32.exe	102
PID 2776 wrote to memory of 2948	2776	Dcalgo32.exe	102
PID 2948 wrote to memory of 2464	2948	Dephckaf.exe	103
PID 2948 wrote to memory of 2464	2948	Dephckaf.exe	103
PID 2948 wrote to memory of 2464	2948	Dephckaf.exe	103
PID 2464 wrote to memory of 3132	2464	Djlddi32.exe	104
PID 2464 wrote to memory of 3132	2464	Djlddi32.exe	104
PID 2464 wrote to memory of 3132	2464	Djlddi32.exe	104
PID 3132 wrote to memory of 4800	3132	Dpemacql.exe	105
PID 3132 wrote to memory of 4800	3132	Dpemacql.exe	105
PID 3132 wrote to memory of 4800	3132	Dpemacql.exe	105
PID 4800 wrote to memory of 4188	4800	Dcdimopp.exe	106
PID 4800 wrote to memory of 4188	4800	Dcdimopp.exe	106
PID 4800 wrote to memory of 4188	4800	Dcdimopp.exe	106
PID 4188 wrote to memory of 3892	4188	Dhqaefng.exe	108

C:\Users\Admin\AppData\Local\Temp\00b21474a8c8012e672e8ec3e616476657435851af7f40b9240a85ec33c1f590.exe
"C:\Users\Admin\AppData\Local\Temp\00b21474a8c8012e672e8ec3e616476657435851af7f40b9240a85ec33c1f590.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\Cpjmee32.exe
  C:\Windows\system32\Cpjmee32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\Cchiaqjm.exe
    C:\Windows\system32\Cchiaqjm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\SysWOW64\Cefemliq.exe
      C:\Windows\system32\Cefemliq.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
      - C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        25⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        26⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4648
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        28⤵
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2416
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:464
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        44⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        46⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        49⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        54⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:888
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3240
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        58⤵
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        59⤵
        Executes dropped EXE
        
        PID:4832
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        60⤵
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        63⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        64⤵
        Executes dropped EXE
        
        PID:3660
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        66⤵
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        67⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        68⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        69⤵
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        70⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        71⤵
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4552
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        73⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        74⤵
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        75⤵
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        76⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        77⤵
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5056
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        80⤵
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        81⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        82⤵
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        84⤵
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        85⤵
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        86⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        87⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        88⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        91⤵
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        93⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        101⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        102⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        104⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        105⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        106⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        107⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        108⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        109⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        111⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        113⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        116⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        117⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        119⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5940
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        123⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        124⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        126⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        127⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5452
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        129⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        130⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        131⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        132⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        133⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6096
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        135⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        136⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        139⤵
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        140⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        144⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5652
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        146⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        148⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        150⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        152⤵
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        154⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6420
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        156⤵
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        157⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        159⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        160⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6684
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6724
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        163⤵
        Modifies registry class
        
        PID:6768
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        164⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        165⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        166⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        167⤵
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        169⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        170⤵
        Drops file in System32 directory
        
        PID:7052
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        171⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        172⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5516
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        174⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        175⤵
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6356
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        177⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        178⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        180⤵
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        181⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6760
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6840
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        184⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        185⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7040
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        187⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        188⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        189⤵
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        190⤵
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        191⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        192⤵
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        193⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        194⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        195⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7032
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        197⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        198⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        199⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6444
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        200⤵
        Drops file in System32 directory
        
        PID:6536
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        201⤵
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6944
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        203⤵
        Drops file in System32 directory
        
        PID:7124
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        204⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        205⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        206⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        207⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3820
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        209⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        210⤵
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        211⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        212⤵
        Modifies registry class
        
        PID:7224
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        213⤵
        Drops file in System32 directory
        
        PID:7272
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        214⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7352
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        216⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7388
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        217⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        218⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        219⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 420
        220⤵
        Program crash
        
        PID:7624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 7508 -ip 7508
1⤵
PID:7596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Camfbm32.exe

Filesize
110KB

MD5
45b92a994d2510a4f391496120aa85c1

SHA1
14029c2a72627f4aa6fc7a029960893a4c7e5b67

SHA256
af9a86a209ab5f62026d0a76572af0832ad2b5178aed37f2d52fc71938492235

SHA512
526b8483339839bb47894a0f59fd56fd49328b15a6b9bde266b931b75ee5fcff0fa40c6254beccd5c6090b2c753e10838208bb3e3361deae90ef232692450609

Download Submit
C:\Windows\SysWOW64\Cchiaqjm.exe

Filesize
110KB

MD5
0a97c6793b81dd1a9e45ec6ae2f4672b

SHA1
c32e53edaaf12462498fe0e146f440fcaf39df15

SHA256
efdf5cf9ea91b1756883d5ad570daf9b87d8c86595606bbfb608d578ca658886

SHA512
c3a998975ba46c46fb0d4f02052396eea4db447477bd775798bae2692faf27662f8613ff4c36de5028c126dd88681389f318e12f4818839636fdbac5cba2b095

Download Submit
C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
110KB

MD5
2ec9c1265efc425d032eccf260a37214

SHA1
84bad788aa36b16d0d87ef47989395c7dda7d5ef

SHA256
b40df5a86d53925c5276f6bfcee49b7fb946a07ff2aa5f806078508a0f0774de

SHA512
09e156ddf49ca724b58f90acbdd0fe66ddb9ac30c2890c7d1a97539748f9601c701e2f7a51c57ec74a48acfb8d9dfb775214d6fd9212bf140c8a5efa93a3a8ef

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
110KB

MD5
59c1f1acf7de6416d8e8691d89cea3ab

SHA1
0d10dcc602c2d929e57da669a96e13971cb77bf8

SHA256
a7999d262d9437ac317f39ac33d7ba4fe04dcb1a21b86d5cf4ef735f1d9fbbfd

SHA512
938fd830ba95f374580d33c276ad8233e844a08c439ba5250e23f4ac4260877598ab48042b4f874a6b2b554bb3a92084e2d350fa0ba40410ec9ca2d08bc45458

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
110KB

MD5
1f48e465fd873a0e4afd8806296a8ecf

SHA1
8092a860b197f1d0e9a80c2c153087e3a3fa9513

SHA256
9368c77e4b9f4365b61c5607e7924949ccc4bea3fb584e0e4f5d9156d7cf7ff7

SHA512
bacef00f7a08409338e577027303c1cf546b66ca713eecb72e4ca3fe10052f7cfab27c7adc12bc06ee1ccbc7ac0811adece96bec3d3da2e2b20d76a95028c386

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
110KB

MD5
c2dd260dde733012e73f2c5aaf2dafee

SHA1
a9cd3cbf36589c44a42dcf132742c51fb465053d

SHA256
01c0bafe1ffe56f85954d533fd0113c040b0d7035d4c57e182ce373e3e748071

SHA512
8f4b21938eeb27e6d5edbfb79dd4e2a94ed3cd18affd55a2368e246642fb853b44e9a39f6e54ab39184b7eaec4ac3b6bbc4a5b95132b94addbef930de282f2d5

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
110KB

MD5
3fe0fd259472f4245e8fb8d1c2f2c4e9

SHA1
4133e7668b054490501612a1b5eba23676d70637

SHA256
ca5cf789ab21f87540edcad5b5b7da448521f433661d19ab20f4e36f01516a24

SHA512
6b71159eab9b2a004c1cf2a3ff7516e3c6ff52fafd3d631ceb35dbd67f2d70ba94155246c393d4a6e7d123a120e7bdb0d7b60f370a79ab94677aa12c86dd99e8

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
110KB

MD5
d6be83f0e7dd764ac4e17bc338535a0c

SHA1
1dd4aa34354a81ecf8781d821e59835bd5685786

SHA256
372e6264947272e82403a1c16d5945363196011b9487a6109b7ea6bdc4fa17ac

SHA512
e9dd802283c6a77e7a650946e265ce5fff209798bb7d9759379ebf7f7414f0018905c8eb1d3f101eade448d7b73bd482592e617ebdadd2618ec289ad32d3b359

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
110KB

MD5
d32d93bb4861c77877b335a82164cc70

SHA1
67cae72427310ff7fb9fab3287f151713b0402ae

SHA256
dd13e4dffcdb49ba1929e146fdf863080afd5066f91beb419f3d0bddd0dfaabc

SHA512
4ab7ceaf648917b2f70ff645b14d569703d6607b12704720d39ed5029416a0e2eda4ca1565b2bd5ec1d4eb89a63e588a285fe915c3be0d852f4a682ed1df61a1

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
110KB

MD5
bb728ab6fc8c2e3fc87cdc504f349141

SHA1
27e9b6375439aa40a4a4ac6b303aa9a14e4be3a5

SHA256
ef6ddb6441875993ccc4ecaf7b9eb1dd7de67b89977898a193ecbf86c03068b2

SHA512
6047af6c82b6fc8fbcc3c7bf7f52115f5c9dfa41a09461efb143b6b958ea8a36835a9d5a383d74cd36aa012616414ace1e5745e1a3cd2005ae184818d66d72da

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
110KB

MD5
2f805ecea701e0b8abb86f75b06e8447

SHA1
08dee9a8fe181c3e6c666315a586fede0bb2c5e7

SHA256
f99946b9bf14c7ef050c6b115dcb267855069a8fed31969b04971987841c1ec0

SHA512
c9466bb83fc8643d3d713301c128592c2f74e6c0888108272873a753226ad23938ea9c2261f3a08ab5fff67bab51851cea15c829c21af292d2addd518143b917

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
110KB

MD5
284d2dffae8a99d4bcb98978c7dfe959

SHA1
4efa486af5fb24021c2ab6a95ba60d5990d9ef15

SHA256
9ba51ebb9fd7e3fac1bac66c401a68fabb031e68184bbeac1e1c0641ece679bc

SHA512
7e771b3b7f0958c4663399d2254494d9613e478b6def4f3f69aa53cbe1c7e7c74942a6626a269ec62a2003267166bd44f4d74d044e5d02f8d4a80c47076af126

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
110KB

MD5
1b85f3f52b8e8c65739496694c52685d

SHA1
ae4edd7199cdff2640853847b4e2d3664156c041

SHA256
4be8ee4ef6f1857028654b6bcffe07440d206d0660aaf75b14e83c90f60590e6

SHA512
e10d2430e0d52e6df07a654beffd3453c2660b56f549d95553c9125840e3798232d2a2bafba1fc8ebf222196025457b99d709a40fc669522edc3206132d202ab

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
110KB

MD5
7a9bd46a198ac9cfa228e95dfd6ae91f

SHA1
e94b469c4b3c6657657e2007de0f19b2ef6f9225

SHA256
b39f60a63655f9c02eb86cd398c14c461b7d461e856b358ae128db162abc3803

SHA512
fda16c652f4911a1d40f26441c461986a04badfcbdfe6fb96ec60da9338a88f7d13fff8695d1338a188fd8be4968f5fbf62090c7ba2ae0884ee5aaae25aa4655

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
110KB

MD5
ba88bd8292d6c2009c0e3f33ab935f92

SHA1
903899945e34fce28a5d7dab870fdebfd6cb0876

SHA256
05db658fcc2b003167b910350b057fa8656d4a4a267371d7dd04f22f5dc330eb

SHA512
3bfe6e79cc77a19649855bb85af23f680b022e05097526ee02be83b5d7c82bf1b9aeda41869736c52985b66de8dc01ca948d132ee88f59e23c5326293aa9ad5b

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
110KB

MD5
d1537cac9d76972e225b89374b61744c

SHA1
92eb0412fbde4e1597517cf2a6bdb50be67c47ad

SHA256
bb39fcecfccbdd644c4691df74292b3e19ccc67e5b6700d46b2b9af1f5a12a19

SHA512
bbaef35f4b5dc8a3364952addf2591b2f5af9385f8e1183fbced3b5e838921c3f70149d212d17bdebf7eb9193be89df08ace576252b8e221ec66dc642a7285eb

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
110KB

MD5
21090e5500a41c978da79e4e9af3f56c

SHA1
3215e031117bd84ea35a4907bc5673f76b53af0d

SHA256
c3b233726955a715fe80dbff3c9d7fcfc05a02527566da2e22c2bdabb269b73a

SHA512
dbec2b6c6a505d3ab6b302bd6e0c36fc729234409012446f62b1e17a13a085001f16758f8a2ca6dd0a0df093f97edefe266228ad1ed815cb9b273f24c80e9c79

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
110KB

MD5
f3cfa54880ca4e74619f69bd4dc3ae08

SHA1
58510b2595d76c9a49f3804e7a894cf5df1f77a8

SHA256
fd5562ca387723c70707cfcf0ba7109f9c670eacbba3cd3bf2d78ca32f774665

SHA512
88480379768c6003f36aed6abdc11b057e632246c7d45584b1a0191f7c74661b15347d4b966c44da137f14c85d92267562156c7cfb87c098b0c3cd59cc36423a

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
110KB

MD5
80323e8b7cf4fcc9751e63dbcd64f199

SHA1
94418cfe67383a2bd9473582f3c977e9d4afec3c

SHA256
0c6fa5e4963d7dd1c955210fd4de6a40d1506db59b217b91c9fd15696b9f3514

SHA512
9820e37e7aceba1228b9de8dbef82a938ed018265dcc18067f6aad31bd3bbf2980b9196dc4c3536843349fb306fecece3cb785aa7039ec5d65d3eaf4e5266300

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
110KB

MD5
8920186de0d2acfaf72a5ddd0859ecef

SHA1
fe173bc9eaa1063d38ba9b8b2e91da3ceec8d869

SHA256
f9d108f05414f1373460981837f649fd267af74bfb119a3381a6b8dc51543adc

SHA512
31fa5a52f8c10d2f39e282cbb931a8c3d9f48b73259c36b5083df8a7a8875e464eecfbd32f121e700cb1e22aee2533ddeb578acd0365b00f1db9202e332f7612

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
110KB

MD5
cbd2128b0fa3d41e986f8cfb6689a371

SHA1
04959d36f9d29fdbd5f213edae06bfa305a08474

SHA256
8939c3f36422b244fa090db3cda8cffaea9cb1d522c56716627a39eef2e57b71

SHA512
d3170cda9ebf9f9f93ca6e40cbdca7f19ad0a56610d4c34d77bfd3a5d423996b781fd04c1bdd9293d68a16282e6abb02997fb4873b6a0ea1e7498ee24c18807d

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
110KB

MD5
6ac2aa820cd209ddf9d3a3bb2345daed

SHA1
4d6dc26ae1d95b358582bd0f6abca6d97fa5d55e

SHA256
2d05d7c8c32b1960a07fd687962d1d249ee3fd61f4c2c75e79395abf666b30d0

SHA512
8fb9efefd4109667424f804dd93b98560a934ec6790f36e6980465f41b389575d93737d52db79a2300ef60d46bd8847f6bc29d25cc90718f67bb3963072ae7ce

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
110KB

MD5
0eb4d94e790cd82bf47b8f145f419882

SHA1
fbf029b4767d3e7ec1e865afd3cf60f8bad141f6

SHA256
bddc64f62ca075c8d30329a1f5f11416e1def1923000f82ef7b039160ea6a310

SHA512
4696115659f2fc5f83d07f602ee820cc75c3e8dab9ce384c6b43a8e34baa6e13813736dfe32affd93f7623c6cf7b883e76a221751d31c66765eaf6224fe9f119

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
110KB

MD5
c369d90fda04398f5ee8bf18aff4113c

SHA1
a17d0c51e243745f87d495d0d798fb4a58482fc5

SHA256
6b4b814deca2babcc77c2240d0185793da3a2edc4cad9f2ef320c42e7561df6c

SHA512
7bcd32d7c6d91795685114d425ae901d707795adec3bc21d623a1e39b8c541f6b4250703be5e9e614d9587d9831ec372321dbd5eec502c58a2fb9c2daea46b01

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
110KB

MD5
ba9036d6ebebe1058f1fdcc31eba2adc

SHA1
cf50cb48bfcaf9c8d3afdc652374e27d92d56b9e

SHA256
0d87fb53e5aca0b58ab2a61901273cdeab5ac1ce3e9edf3c9e760b82dd2b2f3b

SHA512
1ae70b613226e1619f09871a43727fd3aac49de4d9cce5ef1db756585315a17c086f50535b3ef45ff34ebbdc1f43dab7c387ee547141ff655014c0c9e10219c8

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
110KB

MD5
bb6ddbf9a3f74ef5ca6a1d2aec59c8e8

SHA1
b32d6083f3acee7169554719e2dc7ca8c0cb75fc

SHA256
3ca2fdbbbe712000a29dc3952b7981574a9e89948ff0e408361a249517212de0

SHA512
54503fdec07e83045a319bd9101a34607d77e45c506efab88e2bea0aa12e5411cc6112e903435185981ac7051abbe6f5c00d9f6c71e61b0b633ffe2079cca474

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
110KB

MD5
243b8b2a42a4f85365aa3c777ebfb960

SHA1
434c57c371da91d036c3f30508d640354d62035e

SHA256
d306ed3f799b1df68ee7bf05bec1f62268de488da9cf3c8c11a007a7997a5b1d

SHA512
28c3a8754b24975dd69120e8682bee724f0abb5f7dfe3f8e59a53855983f3be9c8d79472af8f9f549d25ed4d294e2313d38f0e4119b37076be6912c7a38c7529

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
110KB

MD5
203ab51214eff2057554a1f430afccc8

SHA1
00cf2075c7bc2c6a410a971a6f9d3c273e49404d

SHA256
e352c1ade8920629e6e8d0fdf69bfa382b7bc7bd1b7cf3e322a7ef1cf17ce865

SHA512
64609d1da8f5f8bde9031e765e505d4d1eb35ea176b86d733509d5b1f20f51048589d1306ad2227331f086ae49270aeecbe67033e853b255058b3d4a0cc246ad

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
110KB

MD5
207847b2ebc93ee12a8b2b20c1d696d6

SHA1
d3bbb401e455d60281edeacb1fbc02439462d6fb

SHA256
960775e6c0b1e449caa2540e0bf1095396882dc4b00cf173a7510b493269f6f4

SHA512
ab6f15ee01bc7a01b447243f902dab2afe4eb44c4c0f4ad05541d308fbbff3adffc0ba96c59c8f49793e38a5dbc766794dba4239f4be77df45c4264bb15a0eae

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
110KB

MD5
fd89dd446b80ae6d133ffcd2010477de

SHA1
663328fa21da9954181e4a8536e6790f3d9ce803

SHA256
0a0f1fdf08798b4f07ec5dee253b6adb4e05b0b9e57072daa217ffce30c20a8f

SHA512
ac608e3b6bd4df6d4a81d9a1c3324833b7d636f7f15dc334bbbe86b733034e42bdd29c807dc14b7150c5a6308265a2d5687c0dcf789200f54b0719aff9de42b4

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
110KB

MD5
5786b0a9929ae544ef1c96cb1b6a5572

SHA1
ee18d6945ce476b870a520f93cf30476289f61b5

SHA256
d3923bfcdcf8cb0e0cb1edb5cddf8105722b58903c1e6204307c807c692ab69f

SHA512
e414648de58286812f5a94d3db73e056a013cd14acde84f4ee474f3f4eea1bffcab08aaf87376f3dc38904c17c85d0dcb96ae397414a42da4cacd47f2e50fd23

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
110KB

MD5
e56673f3368859bbdc732574d6ff7387

SHA1
1cc3847b476d107d75b859c632e1d8aa1e4797d7

SHA256
e2b9bf6f08894d0adeb34c48720131f64c046b9ed0832ae904b2a8e736e14577

SHA512
bd0ee625ccbf7f132edb014231737fe6922cc1d96dcad01236964862294e83c39dd172eea7834de6c831789a491d15b13fc2df316be2e86491eb7d50b7f9b015

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
110KB

MD5
e98c07232b1a4964ccf5d8ffebd03eb2

SHA1
938090801817ec6734265b4e4a9bec97c53dfb0e

SHA256
5b72be5a5c5500ccdc434e7c9685ecb194a762950e827e1a6cea6f71c568b94b

SHA512
55928e8563c317e8156049d2a2cf6201b970bf5c9640c28aaa15b0606c8f240729a51782e083bba98ba34d188df98d7a91481625854fb34bf7da15e9b7d29077

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
110KB

MD5
d5214e2114279412637aa6029b8156be

SHA1
b9ea88e083e00f398661d0a8ae222bb283fd113d

SHA256
1e8d47669ad7dc3ed9734b5a46cddf0b7fcdc45fdd7e3db77e869bd94abed8ff

SHA512
e5f5606ed80585c5999ee68ec56128bcbb5f9494517e5d2e3a5eb01ed54d0e4951f49f6b8bdf40391b3abee9424e431465975e63bddcd6713cae2f83e5e21556

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
110KB

MD5
9b69297731744e0edb86fcde4ad87ec4

SHA1
1c1d4eeff307faed8c697946154c1d5103dcf656

SHA256
de1e2152786b0aa3099608beb0e6ad592e0a6cfbd33de40ede68df03df7675b1

SHA512
c2153d8539cafd180109f8579e677fdfe44b11661db51711e316058727b203afa37d9ac893243a30886a3a369f2d751c70ba4e1dafe73c7635c7977f7001c81a

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
110KB

MD5
62b6743254d591b57403175cd55e631a

SHA1
6a756cfafbb4480046310425924815e98a1f1bc2

SHA256
1637696c987b0af2185895ee6dfe7f266603dc7690fb1331fa65e50617daf4a3

SHA512
c047dc4274df5db2b0ba23918d7a33b758432a6dc4d08d6d05c6fefa8aea96da1bcd0c49ad41634f000d4be81e8a93982335f45a1af90a28a8381991b99c1bbb

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
64KB

MD5
ec346e14928d44762cf0cd9ebbcd2024

SHA1
ce49552d7dba71d6b479d6c880bf939ff7ab11c4

SHA256
a8ec43a3e7a5b6f041cb30646ad1cfe43568620c7f9e0a46d7e87d189433352c

SHA512
17ee0aa958675148269a12199f5f76a420904c7a77def043f58e56c0c7692c46f91e4fbe0457efc40bdfefd886ca33588a426c9c0fe8e8f3bd87aaca87122f5d

Download Submit
C:\Windows\SysWOW64\Jepjeoec.dll

Filesize
7KB

MD5
f0c21c03c1f6a1dd7faa3daf70b928e0

SHA1
908302e825b14da4c5c780a458544f17e4ec9a39

SHA256
f7f8e2232174d60fea7a3fd4012395c1de3707bdeb986c6547c6694985f5539e

SHA512
7bd2fadd94b02508b3fbb90f4f97294f2ffec00efe6c65488cd3e5659cae1c4d8a3820483884104197e94a0dc54fe95ea64cdb1eb6dff0b9197f1a252a996235

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
110KB

MD5
dce19326cb8c1b4279bfd59b90e22969

SHA1
204a1b09a8f950fb9cf49a326505a67242569737

SHA256
db62211f027f54772e4780e1b3c3cd75df388d13be274717830b48eb3179dcb2

SHA512
26a42644e8ca71e4a1b0c23889cea4ada65af2859c58b2819401e4a6b1db3620b740545680a83de702398d79f0a39e9dd2443fc94400849db42a15daa51c2ae6

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
110KB

MD5
660d519a11b7f4d3d53fd5f6efd53684

SHA1
4846656188877aa08afe842907dcad3a6b1687d6

SHA256
df807013ffcd4930f3c819f7008ddbd27948df82efc30714db858c0e7710b4ab

SHA512
ddb1e467d58bd80f5504f28e87c15a2387700fee8cdef3a9b059595ee9d67a5718a592464bae6f24544d5cc5068eb1fd6caf237c09ab877ac7d44322047a7285

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
110KB

MD5
7b9aa693da87212b43e855d3d185d526

SHA1
57618b10b716d46b3434864f3884add65211ed38

SHA256
e1fa566841ad5d8f6fb39697ecaf6174f142ed6841ab0f02846472184069fc86

SHA512
1e902e2a46e5ac1892848d2078e617ae8b22cbe97351207053f8b18a7c65d175a74176d511bbb21e633308b9dde8c03bac8f3c1b4a36919ca40ff7f3b648aa4c

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
110KB

MD5
8cae8e9cdb26a150eb52577237832ea5

SHA1
0b4280efe59a90ab5d43219ea197f7926eaad8b2

SHA256
7f5e46815d60d295e119522e71639b27b4414857462e3d7f42bbfba9080142fc

SHA512
c39af56266fe63123c58c91104b5cfbd7afdd35c2ed4ea270f0614f3c1c224f127bc808f7d30940e6242626ade2f0674d92ac6efde04a6bacd3ccc646bc6ba8a

Download Submit
memory/448-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/464-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/640-424-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/888-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/920-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/976-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1088-320-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1108-274-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1244-308-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1312-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1492-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1532-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1556-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1664-200-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1680-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1844-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1896-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1940-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1968-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2120-101-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2196-346-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2316-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2320-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2392-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2484-290-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2644-80-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2776-128-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2892-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2948-136-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2956-191-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3000-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3132-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3240-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3244-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3300-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3476-430-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3484-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3520-292-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3524-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3544-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3628-184-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3660-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3672-330-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3844-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3856-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3892-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3980-406-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4016-88-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4188-172-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4320-224-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4380-326-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4560-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4616-124-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4648-212-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4800-159-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4832-412-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4916-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4928-273-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4932-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4960-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5024-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads