6f647fbb98d2455a6e78707cefbb579ece389fd9ea89a595faa209b234cce9f1

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 23:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6f647fbb98d2455a6e78707cefbb579ece389fd9ea89a595faa209b234cce9f1.exe
Size

182KB
MD5

9d032870761713f26e7a4d07fb6a0458
SHA1

494a1047dccd27f879a9fe861a55cb8204109639
SHA256

6f647fbb98d2455a6e78707cefbb579ece389fd9ea89a595faa209b234cce9f1
SHA512

98b5e8e6948a19e861825f3f3bfe59c53552b8be9f84fd6c48108531c316ce8b48b906c558922257e3f67c58ec29cd8d8797558388e9c561808438df618deaee
SSDEEP

1536:j7l8q9jTtSmsDmqPmKOhlURgcdcI82LA7nguPw9uVgA53+RrKJs2zjFS3ldkBOLg:jxPs6H1oA7nguPnVgA53+GpOc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6f647fbb98d2455a6e78707cefbb579ece389fd9ea89a595faa209b234cce9f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpjflb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpofpdgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgodj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpofpdgd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe

Executes dropped EXE 64 IoCs

pid	Process
4200	Chgoogfa.exe
1224	Cpofpdgd.exe
4888	Capchmmb.exe
4000	Dhjkdg32.exe
5000	Doccaall.exe
1956	Dabpnlkp.exe
3088	Diihojkb.exe
4988	Dlgdkeje.exe
4496	Dofpgqji.exe
2596	Dcalgo32.exe
2648	Dephckaf.exe
4300	Dpemacql.exe
3008	Dohmlp32.exe
4428	Dagiil32.exe
60	Debeijoc.exe
3548	Dhqaefng.exe
3068	Dphifcoi.exe
5016	Dokjbp32.exe
1660	Dcfebonm.exe
1792	Daifnk32.exe
4616	Dfdbojmq.exe
2760	Djpnohej.exe
4772	Dhcnke32.exe
4084	Dpjflb32.exe
3160	Domfgpca.exe
3076	Dchbhn32.exe
3040	Dakbckbe.exe
1176	Efgodj32.exe
4380	Ejbkehcg.exe
4304	Elagacbk.exe
3240	Efikji32.exe
880	Ebploj32.exe
740	Ejgdpg32.exe
3260	Eleplc32.exe
3272	Eqalmafo.exe
4836	Efneehef.exe
4736	Ejjqeg32.exe
4744	Elhmablc.exe
2424	Eofinnkf.exe
4796	Efpajh32.exe
4316	Eoifcnid.exe
1140	Fbgbpihg.exe
4436	Fmmfmbhn.exe
4908	Fokbim32.exe
2532	Fbioei32.exe
3356	Fjqgff32.exe
2212	Ficgacna.exe
212	Fbllkh32.exe
4996	Fqmlhpla.exe
4516	Fopldmcl.exe
2712	Fjepaecb.exe
3568	Fmclmabe.exe
3968	Fobiilai.exe
4048	Fcnejk32.exe
3380	Fflaff32.exe
4604	Fijmbb32.exe
2308	Fmficqpc.exe
936	Gbcakg32.exe
1580	Gimjhafg.exe
3372	Gmhfhp32.exe
4352	Gqdbiofi.exe
4864	Gbenqg32.exe
2512	Gfqjafdq.exe
3336	Gjlfbd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Dakbckbe.exe	Dchbhn32.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Gbcakg32.exe	Fmficqpc.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Jibpdc32.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Domfgpca.exe	Dpjflb32.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Ogaodjbe.dll	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Ejgdpg32.exe	Ebploj32.exe
File created	C:\Windows\SysWOW64\Qjebnamp.dll	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hfjmgdlf.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hbanme32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ebploj32.exe	Elccfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ejgdpg32.exe	Ebploj32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Efpajh32.exe
File created	C:\Windows\SysWOW64\Fflaff32.exe	Fcnejk32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Jpckhigh.dll	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7712	7624	WerFault.exe	306

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bamagp32.dll"	Dhjkdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfifijhb.dll"	Cpofpdgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhjkdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dofpgqji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopeje32.dll"	Efneehef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dohmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Debeijoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahgndd32.dll"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibpam32.dll"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doccaall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gidphq32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 4200	5104	6f647fbb98d2455a6e78707cefbb579ece389fd9ea89a595faa209b234cce9f1.exe	85
PID 5104 wrote to memory of 4200	5104	6f647fbb98d2455a6e78707cefbb579ece389fd9ea89a595faa209b234cce9f1.exe	85
PID 5104 wrote to memory of 4200	5104	6f647fbb98d2455a6e78707cefbb579ece389fd9ea89a595faa209b234cce9f1.exe	85
PID 4200 wrote to memory of 1224	4200	Chgoogfa.exe	86
PID 4200 wrote to memory of 1224	4200	Chgoogfa.exe	86
PID 4200 wrote to memory of 1224	4200	Chgoogfa.exe	86
PID 1224 wrote to memory of 4888	1224	Cpofpdgd.exe	87
PID 1224 wrote to memory of 4888	1224	Cpofpdgd.exe	87
PID 1224 wrote to memory of 4888	1224	Cpofpdgd.exe	87
PID 4888 wrote to memory of 4000	4888	Capchmmb.exe	88
PID 4888 wrote to memory of 4000	4888	Capchmmb.exe	88
PID 4888 wrote to memory of 4000	4888	Capchmmb.exe	88
PID 4000 wrote to memory of 5000	4000	Dhjkdg32.exe	89
PID 4000 wrote to memory of 5000	4000	Dhjkdg32.exe	89
PID 4000 wrote to memory of 5000	4000	Dhjkdg32.exe	89
PID 5000 wrote to memory of 1956	5000	Doccaall.exe	90
PID 5000 wrote to memory of 1956	5000	Doccaall.exe	90
PID 5000 wrote to memory of 1956	5000	Doccaall.exe	90
PID 1956 wrote to memory of 3088	1956	Dabpnlkp.exe	91
PID 1956 wrote to memory of 3088	1956	Dabpnlkp.exe	91
PID 1956 wrote to memory of 3088	1956	Dabpnlkp.exe	91
PID 3088 wrote to memory of 4988	3088	Diihojkb.exe	92
PID 3088 wrote to memory of 4988	3088	Diihojkb.exe	92
PID 3088 wrote to memory of 4988	3088	Diihojkb.exe	92
PID 4988 wrote to memory of 4496	4988	Dlgdkeje.exe	93
PID 4988 wrote to memory of 4496	4988	Dlgdkeje.exe	93
PID 4988 wrote to memory of 4496	4988	Dlgdkeje.exe	93
PID 4496 wrote to memory of 2596	4496	Dofpgqji.exe	94
PID 4496 wrote to memory of 2596	4496	Dofpgqji.exe	94
PID 4496 wrote to memory of 2596	4496	Dofpgqji.exe	94
PID 2596 wrote to memory of 2648	2596	Dcalgo32.exe	95
PID 2596 wrote to memory of 2648	2596	Dcalgo32.exe	95
PID 2596 wrote to memory of 2648	2596	Dcalgo32.exe	95
PID 2648 wrote to memory of 4300	2648	Dephckaf.exe	96
PID 2648 wrote to memory of 4300	2648	Dephckaf.exe	96
PID 2648 wrote to memory of 4300	2648	Dephckaf.exe	96
PID 4300 wrote to memory of 3008	4300	Dpemacql.exe	97
PID 4300 wrote to memory of 3008	4300	Dpemacql.exe	97
PID 4300 wrote to memory of 3008	4300	Dpemacql.exe	97
PID 3008 wrote to memory of 4428	3008	Dohmlp32.exe	98
PID 3008 wrote to memory of 4428	3008	Dohmlp32.exe	98
PID 3008 wrote to memory of 4428	3008	Dohmlp32.exe	98
PID 4428 wrote to memory of 60	4428	Dagiil32.exe	99
PID 4428 wrote to memory of 60	4428	Dagiil32.exe	99
PID 4428 wrote to memory of 60	4428	Dagiil32.exe	99
PID 60 wrote to memory of 3548	60	Debeijoc.exe	100
PID 60 wrote to memory of 3548	60	Debeijoc.exe	100
PID 60 wrote to memory of 3548	60	Debeijoc.exe	100
PID 3548 wrote to memory of 3068	3548	Dhqaefng.exe	101
PID 3548 wrote to memory of 3068	3548	Dhqaefng.exe	101
PID 3548 wrote to memory of 3068	3548	Dhqaefng.exe	101
PID 3068 wrote to memory of 5016	3068	Dphifcoi.exe	102
PID 3068 wrote to memory of 5016	3068	Dphifcoi.exe	102
PID 3068 wrote to memory of 5016	3068	Dphifcoi.exe	102
PID 5016 wrote to memory of 1660	5016	Dokjbp32.exe	103
PID 5016 wrote to memory of 1660	5016	Dokjbp32.exe	103
PID 5016 wrote to memory of 1660	5016	Dokjbp32.exe	103
PID 1660 wrote to memory of 1792	1660	Dcfebonm.exe	104
PID 1660 wrote to memory of 1792	1660	Dcfebonm.exe	104
PID 1660 wrote to memory of 1792	1660	Dcfebonm.exe	104
PID 1792 wrote to memory of 4616	1792	Daifnk32.exe	105
PID 1792 wrote to memory of 4616	1792	Daifnk32.exe	105
PID 1792 wrote to memory of 4616	1792	Daifnk32.exe	105
PID 4616 wrote to memory of 2760	4616	Dfdbojmq.exe	106

C:\Users\Admin\AppData\Local\Temp\6f647fbb98d2455a6e78707cefbb579ece389fd9ea89a595faa209b234cce9f1.exe
"C:\Users\Admin\AppData\Local\Temp\6f647fbb98d2455a6e78707cefbb579ece389fd9ea89a595faa209b234cce9f1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\SysWOW64\Chgoogfa.exe
  C:\Windows\system32\Chgoogfa.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\SysWOW64\Cpofpdgd.exe
    C:\Windows\system32\Cpofpdgd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\SysWOW64\Capchmmb.exe
      C:\Windows\system32\Capchmmb.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4000
      - C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        23⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        24⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        26⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        28⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        30⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        31⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        32⤵
        Executes dropped EXE
        
        PID:3240
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        33⤵
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        36⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3272
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        39⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        40⤵
        Executes dropped EXE
        
        PID:4744
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        41⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        45⤵
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        46⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        49⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        50⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        52⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        57⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        63⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4864
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        67⤵
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        68⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1504
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2120
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2000
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4812
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1980
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        78⤵
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3544
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        80⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        81⤵
        Drops file in System32 directory
        
        PID:1132
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4488
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        83⤵
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4592
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        85⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        87⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        88⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        89⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        90⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        91⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        92⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        93⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        96⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        97⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        98⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        99⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        100⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        101⤵
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        102⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        103⤵
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        104⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        108⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        109⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        110⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        111⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        112⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        113⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        116⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        117⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        118⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        119⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        121⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5896
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        124⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6088
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        126⤵
        
        PID:976
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        127⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        128⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        130⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        133⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        134⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        135⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        136⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        137⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        138⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        140⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        141⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        143⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        144⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        146⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        147⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        148⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        149⤵
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        150⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6224
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6356
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        154⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6436
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        157⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        158⤵
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        159⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        162⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6780
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        166⤵
        Drops file in System32 directory
        
        PID:6904
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        168⤵
        Modifies registry class
        
        PID:6992
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7036
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        170⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7112
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        172⤵
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        173⤵
        Drops file in System32 directory
        
        PID:6176
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        174⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6388
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        178⤵
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6644
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        180⤵
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6768
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        182⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        183⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        184⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        186⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        187⤵
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        188⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        189⤵
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        190⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        191⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        192⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        193⤵
        Drops file in System32 directory
        
        PID:6812
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        194⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        195⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        196⤵
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        197⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        198⤵
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        199⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        200⤵
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7096
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6296
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        203⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        204⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        205⤵
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        206⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        207⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        208⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        209⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        210⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        211⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        212⤵
        Drops file in System32 directory
        
        PID:7368
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        213⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        214⤵
        Modifies registry class
        
        PID:7448
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        215⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7500
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        216⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        217⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7584
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        218⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 408
        219⤵
        Program crash
        
        PID:7712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 7624 -ip 7624
1⤵
PID:7688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Capchmmb.exe

Filesize
182KB

MD5
b857a66a7283855f0d33015fb519e7b8

SHA1
97a2ad53986e96d667a0be175035c13f1537dc87

SHA256
1327381b34ee4d2512868cacabb7e2e1f59ef7c4f3fb8b2865345156c5b72a35

SHA512
d87e86161a7e327423d2a34aa17659bfedb16d5c81c6fa964f3c9f60aeb23dd65f0f144d618e97fc93e5e5e215c6dc7afc037de1a0713fd044dbb53c36c24a3a

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
182KB

MD5
67f82a76488b123bd2354f34ba409f6f

SHA1
1b7022e321f5da6bc9ec534e8c7b46746a40e2be

SHA256
f4f82eda4041b08501ed318ff790bfa025f13082a9068f703726ccc079c8f0c7

SHA512
e11fad9cef7497dfff74c99c9aeca34839b91dfac219d52f3b07b635e42e3e60bff1c2a36722332b1a394ec2456275a2ea463488400da6d7beec1316f27f9982

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
182KB

MD5
98fd6b4df628d85b6be95717e066f497

SHA1
33a3341dd69c55e8b1ff7012c7b99364a9e4db55

SHA256
fd5eb1b76dc08f64600013fa21f7a9553e5d548d673906d6a8fcd5d11c33687e

SHA512
7ac46302a3f9aa53f02e16491edd850f94081435ef20d0bc2449b987efda1b3e171db1e0bdd5fcd0b3bf629a154e15e8c332d4e43ec47477b9ad9e03efd054ad

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
182KB

MD5
7e4e48d57972a539ac1b9adb5bd4de53

SHA1
62067d4c7decdff3b2ceba51e50ca4a27c045e8f

SHA256
adb740903fcdc97f5f1893c20b87944667515c7c564eb35a9687b439b7cb1d29

SHA512
2e56d6fd218d3dc7bee0b8b27a4cc6289cd71a727365e170497d59fb2ef34db678fdcdf2f8e543491fd7e00cf30aa135183c6320aabad5821d28650cf765327a

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
182KB

MD5
489f5b7760638399693293b9e20de41d

SHA1
c73c4ef28c0f82ff44c7287dbe8526181b0131c6

SHA256
41acadb5bf231197f830bf6a289f2cf9d4f3c2521108cca8725189ef6425cd0c

SHA512
ec938ee684bab1c508a631e4126ffaae2d879c345e52434aa31219f212312fdfe1ab4639f59de50a9dd49ac530ce7bb81f58035d10821acee5c07faf3dd162cd

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
182KB

MD5
2fa825253d83eeec1b70071d74ab56f8

SHA1
153b7745624d1c458a767b59432d09dd235a421b

SHA256
5d39c0169a856dc4fc2367fa940d8d5c48cc5c1edbc5bf28871053ccc0b73e3d

SHA512
fa1edcafa3bcc4f8fcd6fc1ac98655afc680637834da0403f06be956ba3d19ccefe976d4a5c5b5f1c789fbf3785fe0a11df8758c51ea43ae7fcbf5a2788c14f7

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
182KB

MD5
ee1558be51c11cb8d84ff8861f672fe6

SHA1
7265b374bda5b3b2d39a74b1cd7f7907cf58761a

SHA256
dc63a771ea03a7bbd22b12df631a963e5d13ccddc1e48754f47c0f491d977573

SHA512
5368b3ec997313fbc83c5ab00311248d3c927bba3b4dfddd4e21c5ff04e791691d67d421de30a6d5d9c773e08d3e6299ae1e175512865b7c9845192e28321960

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
182KB

MD5
d7c76f4304e5c7fd5945970654c1c9a1

SHA1
3e4a3a09e883f94641f5110931dcffe391ee1816

SHA256
035df4d460c5f67e5a9dbaed37e825c3fbf5fa5a381db3127e8aa2cbad0a15f1

SHA512
92f981617bc3591aabcede75de2bcd206fe49fdb8d4072ae0c12fbd75e66e5bf8d391c1b1b1e051d35651641c575b669f5659dd7d7fd4dba6c06052aa41544f2

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
182KB

MD5
9e8c8854d969b385d3957b6392413498

SHA1
e43fb2e4f44cdfcf593cb672fd75e45cd68759cd

SHA256
2f282b85ef3860b7466ff96504fb4980e28f998719961d464baf067e1c37ccc5

SHA512
1efc16f04d7893788bee33b74cbd67b6d7a4822e401dda02d0fe8fc74698eb10df47e572eba74b922af42d4a3b57b89b9bc94dac9864212b94c3462a271e212f

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
182KB

MD5
9f20bf448a52a68f53cf15196625d975

SHA1
f9bcaaa99c811ecb5a8838dfe9f288e974ad3db4

SHA256
c447c95559b50ea1236401cad4e5eebe08c438a7783b8fab02327171e7163e51

SHA512
8965db582627f731f0aee0479f6eee4cd8490c7050582b3e589e0f31b50fa4ecbc02c86f9886a0bd56e297ec690b42484f3bef233c6c0782b776c9e6a8ab25f8

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
182KB

MD5
8c6a8b45b0faaa6182af07b363a89740

SHA1
565eb672df2d5b61a72bd355458a42361876d9dd

SHA256
f489e7ba510ec108a29807e3744b41f0ba20be106a1b2f68c6e3e57458c85662

SHA512
45c5039266de2e531df10c1e82c93de628d89dfe57ff656835f4c5a92f8b5b2fa423d016a58163668f6610ec460bfd3dd9622103712a554401387c26f5590d70

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
182KB

MD5
94214cfacfedf73e580c9652937f4430

SHA1
995a6fe890bad4b7fcc6685e54170c5c8f4bf674

SHA256
6640230f5f901d04d17e1417355a6e750b8b3541111bf9191041ed7baf411d1b

SHA512
3a52a343c9eb8b10570b6d0995d862d67cf49455fba394688c3a85d6a5cfded6371fc5c60f5c432ba9ab94f7a3622167ed664ea84b68800fc354eeabce37fa83

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
182KB

MD5
e94b6a53e99f435364c39c4211ff558d

SHA1
871d61035ec70b391c500ef04ea6be1162c87fa5

SHA256
d77790e30cac915973fb03344b868f1bc7b9e9415634537a71772ce31eaff1c8

SHA512
08299af2490e1681e0d9f8afc8a739c6de9c8a51112dfffcceecca226a5ea74c2167b6c10400b64730c892e4d2cd7ba45935c85ccac756f3ddb594ae611a2b86

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
182KB

MD5
c196d3456206ece52fbe58669c450117

SHA1
0df84158601602eb2199657bb97b425c4843fd03

SHA256
c49e2e93d3b1f97d0e9abbb0fd4b98dbb0cf8294590f62ec4a3f60af30caa790

SHA512
c5ef53b6b046d720b2a22f07202544347f8571caed45985469f615508bf1f048fbccc749cb5fb37c605222c47e37826a0eac6aef2c37d17de843a0d3cec9bd21

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
182KB

MD5
a53f941e2cfa7e1f16c4b44a1a5c43a7

SHA1
1864a133daca2f4a2a31a0c65921ad6902f35ed1

SHA256
bea90ab6817fcd85e73605afccef7ae5e6865b85b314002de7fe4b046767479a

SHA512
9295600a205261c00c1166e5dbce765a6144a6d601a723f9aadb1cc67594d089775d8a7a7e72cae18afb687c755d73477b28dc0748a231a185da550537fa3586

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
182KB

MD5
fe7d5ddf7ed7ed2e4f43d3e7486ab223

SHA1
7f6c5fb29ddb0d8bf13a995c613900043f9abcae

SHA256
6d7d5c3aaa1317222871f322252864f51ca99695bb75e3dadcccccf83ada249e

SHA512
659cc16737a85e7dc6ce0f27ce29bb273c1610df923151e0383e7be58d0b8b36470b634e4d07c4e38d256cf4b93e986c51d69ba69d7e374960e3db76dc4623c0

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
182KB

MD5
b2975a018d1c28bd3f2844b547e1b038

SHA1
af05e1663add2740ceae34bfaf2f1ad0d17fdd70

SHA256
09bbc3929ff5824a4bb85efd87ab1746b036e03cd5fabdb3bb3f1abf36fc7858

SHA512
5f66385449fb1f70412cce9b70c6781ab35094163449043797e20095853fec4609e37742e4bc1876bc1f7c8460b8610b4c50d223dbf27d9be90de9eb2aa2de4d

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
182KB

MD5
48e519a81ddb8a902311312b306e8f39

SHA1
307f43ca0e7f7f5b940cd073e3959aa9620f1888

SHA256
acf9a4ba3734f50723fa8d0ac7fd974e212318cfbdee068eddc122ff62d78ea9

SHA512
2c988173733aec2a3b85950307c034e68b233eb3a377db9ee8e8e380c8ec9d378dec925f81e85540b17491d589b0f1f1c7ee84f01a510d1759e3ff82a4a7abb9

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
182KB

MD5
425b0ab7ecafca1772199d5a3c506e90

SHA1
62ecd00ede4be26cdf30a6fb7dc730158c377d4a

SHA256
cff51bdde9eb35335cb3a96ee2bfc23e21c0e6185ca8b76385d0c366ca5cf9c5

SHA512
acaf077e5d4f9883eb70bad2ff315b9595b5518f43f2c93819ea2e71866b7af38fa961f161a3d3de4f918a803c9fd555e139e241d6ff333aaffcaa0b9e403ecf

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
182KB

MD5
e3607bd840312e6683fdbb7c82aefaaf

SHA1
1edd229278427931d16a9658c4c9a9e10cd611b4

SHA256
330f58250297ed6a271552d33a50ef3b406e3151e40bba7958a1f24c147bb57e

SHA512
8f447600fe803122010fc6988362256acd2703ac412156cb5a7ffb20ddff5bae78edb354803803dceec039a5ede01da6a1b897bed6175e341306b999adf3b918

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
182KB

MD5
1b0eb12fd32946a4b52b892f524c8644

SHA1
6df034f5a8fe0f106f5c4ad0e02ee218cf1f3488

SHA256
92f25be4d451c11d8dc451d64d770aac224429a7c06d9220e831ef9106b62493

SHA512
31e7128b13aeb8638aad9188645c7e68ba6067fa5ba5c728a86d7352fd1bbe9dd3975525378d850d9bd263b39e29d36174da3796b7aa678815a3ee96d52eb8ae

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
182KB

MD5
14eb3fc34e5359813e11aa74c5ea31b2

SHA1
ccfb8ceddf775cac97faf1c17fa1a197803ee2b2

SHA256
90bdedd86a1dd4a8f011a8df94aab8b559c5d871447c0c671266e461f44f2711

SHA512
627c205627051fbc083e4ef8ddf413534fbbeb55cc4e848df3581cf0870a5226e65302b281a397ed0477106741204847e25977701882ff6d314103a8308a54d8

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
182KB

MD5
49563f1072c4711d441ccfa72a0a992c

SHA1
50fcb79ba08b5a9920cd5f657af51395806ea4cc

SHA256
8ecac8600a616d84e3b827911c81846321bc625a1c3c36aebc4371ed28da6ca3

SHA512
86e826567ce97ce99efe5de869e971097dc7981ca96b81db861dd630829a8c1628130d72690042ee7d93a666df492c2b6800046f5d8250ebbc85d30ddf593dc2

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
182KB

MD5
dee1605e5e0dac4c438de5c46d8dc0e9

SHA1
b12cc490c7b94623a7f63e709dd509d73bd56138

SHA256
485ff356de7d739cefd44cb862ee9ba23e171143a27ee3201613096543aef3bd

SHA512
604e44413acf457b8c6d274fc6d8731b8096fcdc525cb3b887f34dfef19799a5a30b730121072009da075f4d3631a4244fc99657b234113fb9e598181d06ba05

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
182KB

MD5
09148a7f78b12f2dfb5650cdce60c7d9

SHA1
10152e2dec8a20b01c2168ad50542ff191dc1c5b

SHA256
c8889d855fad04a30aa36ac82e8e846222e9c398dfd4e6d22dbbaa53d9a261ae

SHA512
1ccb5626ed6317fc54f0343b587b3517757dc807c22d1e657148606fa57060f1bdfab8106f313fc697d2e5daa65d69c755dba4748ace7d0c768775744145a950

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
182KB

MD5
8206ee2542d99f91806c962a3704593c

SHA1
9d66381f15d7f85315ad993634aecb3718a23f57

SHA256
e806613b50787daf072d3a264f2853a65eccf70692f8f4340687ef15ae9a735b

SHA512
6c0555d333cee609fd7a10a7103b41ec703760d743426d8989737391e800f810656ad777ac94033178f68d087573640d253790c0251bea429e765c8f3ebc59ad

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
182KB

MD5
81648484336b1c608c56e40dc60b249f

SHA1
3a08fd107abaf7bcfc3ed7c4be19fb4a2751a6cb

SHA256
26c6b2c251c0c16e555b2417e6f3730c5bccfa64558d967a932eabe58b47a9ad

SHA512
35fc9a4e90fc1e687a96985bcd365f6cba68b5d3d270f8722a4a5f716b323fb5dc0407679814fc73768b80063f8e35294fe4ec669668c153d9aaf0f5fdd47dc3

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
182KB

MD5
abafd8f03454a146e173b5d83f7feeb1

SHA1
f06b432842779c4e1e975e05fe9b7a2575978e5e

SHA256
1dd00d6a7134e5c7a66ec14ca7a5118baba78985198ca21bb70ff38d227ed7aa

SHA512
db847d6b067f232a68f9a1f2a4794aec8cd9d3f35cc17dec21af796f0be1fe582feff8c6b94887a301b37f78afc98dac9712b9977a51854e499d4686577865e6

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
182KB

MD5
a113aee962c54141d236a8ae72053f8d

SHA1
b7feee86d6afeeb585cebc1efd137a51277b5161

SHA256
9c870b12ec92b194f3401e5124b4914a88722042ce8da70a0ddb24f530823285

SHA512
597a615ebaa9b602762dde27f2884c3341cfa0653fccb6fc4fdc4a9d8f5a0ae2f0219a3815d4533bfcce5c66d175b05c0f05845b1fdde7e993baa7664f896f97

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
182KB

MD5
4bda6ea7d93946e69b44200e996f8b8e

SHA1
3a6aa6aaf4862c6174571ed415c2a169f30e2399

SHA256
d5e6af9cfa20c75d0d8e7a0307b471702857097f76a433a13eca2caca96efd23

SHA512
302319559bd2eb92c91bb63c1554229038ed1070b6b2957351ab538c8a21599b42bda19d5f8b8681923f1ce11a867826e4af6cb4da64fccb6885de5a71c12007

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
182KB

MD5
786836e26d85ae80d2e2940efdb578e1

SHA1
1f4144e36377e6edba24582bf82480dc15c26b87

SHA256
588f805dc27bf03081bbbc42834e3866d5be1f841a0de4c5751a12d328b3b084

SHA512
47b5418bc363d711fbf9342c5db0635f735742a814881d4904a59148c16548f8a842f6ee3dd39a09c4a460e5fd952769f86b2c9673f34500038cd2594451ca73

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
182KB

MD5
b5a021ff0abeea713d60e7e4f48370e0

SHA1
d490e5f155efd7de263f88a0c79ea346bcddbf24

SHA256
f66ba85a1b385038d5ff924e5ffde0157386dc91a1823688dc28121a2a713831

SHA512
a02cfd5989a605d1c150f0126b15f0d352186010eb4e26bef0fc35d3c27eaf97ab76943b21e29aa3a60bbf4924f8264380e1a720f4de11e61376c88c394a7eef

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
182KB

MD5
60d35afd7629eed95351898b86d41cd2

SHA1
172d1df84d5b299009de9969c250cd1e16326929

SHA256
6319cdf8df0f0435e7c4acccee3f2ddb13a9c588290b145fbc2a048e5e109574

SHA512
021781ae5a7f7dd9a870af76666a435df6adb863f16375192144310c8b27bb81ab8e6fca4a1fe0bd584255195f0384d3317f3e6e45c98493e652315f286aa62c

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
182KB

MD5
284b49f67e4252f68c2482cd4d48ec7a

SHA1
68c04271be9ab8db71a82d6775bd19d4d53bbe96

SHA256
92a61400eaea62d27ab84ab26021a3d1e2114d3efe28c42364da4c0bd512cdff

SHA512
ccdd36b470b91db20055ae50cb8bdd3d29ac138d0f4a7276afbc02bfa05cb099c6a6e6d75818f5b1aba3b76986d9aac5552b496f7a573c1db1c6a14c102003f2

Download Submit
C:\Windows\SysWOW64\Gifmnpnl.exe

Filesize
182KB

MD5
8eebc811f8c1dbf97b62a8c698d58a44

SHA1
d6fed05e0dfda4cb65a50ba139818346852906fd

SHA256
26bc94798334cee9c1d1a8676657b9eb3532da1abf0fcba06179d178e13e59f7

SHA512
e3ed38f6a2349edb806aceb320901681e56f3bc4226d45749b54d40faa37b5b0060cc3b9d0b5341429136908227a957973fa947f9216afc5e45e2c36befde84c

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
182KB

MD5
a2801b4cddc2eed5945878d5dc404ce5

SHA1
e7b8acc87d7d44907208094329aa054612d1f87d

SHA256
514f66fc90cf6fa418372f92a75f91f80df1f4376bbce114ec6a8762e2c64c84

SHA512
54350056aea61dff8a9297bb86d2e535c25c282930e7e94741c67f4365cedbbd1c679a18bea3c3c2942e4f6f928112cecee3b030b2f44b3e51cf6b9295b61003

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
182KB

MD5
6720f7f7aab47996f1dce9ed5a9f801f

SHA1
8c660545d99d773cf0484df0820b083f0c418d27

SHA256
9e410ebe7367ec2928f7ccd81f4f3aeb340b7b5af0f900413a8b973bd0f51218

SHA512
d98f64df80fd0e372c2eb340201e5eeb5701f76e1ec422f6822594e784e97150cfab2413acbc032c0d4d09d596ac4077eff0f4f8d5a2d06ae0702a96fca2ba48

Download Submit
memory/60-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3272-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4300-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4304-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4316-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4496-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7220-1461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7272-1460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7500-1455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7584-1453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7624-1452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads