e2a9f2ba42bbb9ea0548a679503ea6e26dde63227dd2eeed0b85c961b6434023

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2a9f2ba42bbb9ea0548a679503ea6e26dde63227dd2eeed0b85c961b6434023.exe
Size

224KB
MD5

b1112140da9ebb9ad93bafd525601159
SHA1

51d064cfc72fb5b87cf99ec19c23c3fe33a8f952
SHA256

e2a9f2ba42bbb9ea0548a679503ea6e26dde63227dd2eeed0b85c961b6434023
SHA512

3bdf45316c6197584f2888ad7c44f4b486aa5e0508157f6a54a402bf9d4c003e2faae1a4f27b17dc140f3e8662d02e2b136537ef84df158a4f84d325530e6fbb
SSDEEP

3072:Gfo1LFCe8XwXpx2KIuYUvIMDrFDHZtOgxBOXXwwfBoD6N3h8N5G2qVUDrFDHZtOa:ZFFCiXr2C4s5tTDUZNSN58VU5tTtf

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cedihl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e2a9f2ba42bbb9ea0548a679503ea6e26dde63227dd2eeed0b85c961b6434023.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bikkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccfmla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpcpkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behiln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daifnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dadlclim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpcgdfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcgdfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe

Executes dropped EXE 64 IoCs

pid	Process
3496	Behiln32.exe
2972	Bpnnig32.exe
4368	Baojaoke.exe
4924	Bbofkbbh.exe
2636	Bemcgmak.exe
2396	Bpcgdfaa.exe
336	Badcln32.exe
4636	Bikkml32.exe
3008	Cpedjf32.exe
1604	Cafpanem.exe
1436	Chphoh32.exe
3928	Cpgqpe32.exe
3440	Ccfmla32.exe
1432	Cedihl32.exe
1500	Clnadfbp.exe
1196	Cchiaqjm.exe
3460	Cibank32.exe
740	Clqnjf32.exe
2228	Chgoogfa.exe
2304	Cpofpdgd.exe
2520	Cekohk32.exe
4680	Dlegeemh.exe
2324	Dcopbp32.exe
264	Diihojkb.exe
2020	Dpcpkc32.exe
2024	Dadlclim.exe
820	Dhnepfpj.exe
3264	Djnaji32.exe
4068	Dcfebonm.exe
4328	Daifnk32.exe
3456	Dpjflb32.exe
3956	Dakbckbe.exe
1380	Ehekqe32.exe
4324	Eoocmoao.exe
1924	Ebnoikqb.exe
4424	Ejegjh32.exe
4708	Elccfc32.exe
1412	Eoapbo32.exe
1796	Ebploj32.exe
1664	Ejgdpg32.exe
4580	Eodlho32.exe
3116	Ebbidj32.exe
4664	Ejjqeg32.exe
540	Elhmablc.exe
2584	Eofinnkf.exe
2128	Efpajh32.exe
4748	Ehonfc32.exe
1316	Eqfeha32.exe
1144	Ecdbdl32.exe
4568	Fjnjqfij.exe
4332	Fmmfmbhn.exe
680	Fokbim32.exe
4176	Ffekegon.exe
4436	Fmocba32.exe
2360	Fjcclf32.exe
4908	Fmapha32.exe
1536	Fckhdk32.exe
3760	Fihqmb32.exe
4496	Fqohnp32.exe
2216	Fbqefhpm.exe
4984	Fjhmgeao.exe
3324	Fqaeco32.exe
4000	Gbcakg32.exe
4860	Gjjjle32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Chkede32.dll	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Fjcclf32.exe	Fmocba32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jiikak32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Gbcakg32.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Ehekqe32.exe	Dakbckbe.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Dhnepfpj.exe	Dadlclim.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Cafpanem.exe	Cpedjf32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Cqddbnon.dll	Behiln32.exe
File opened for modification	C:\Windows\SysWOW64\Ebploj32.exe	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Eoapbo32.exe	Elccfc32.exe
File created	C:\Windows\SysWOW64\Hfdcbdnc.dll	Ebploj32.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Hbiklpin.dll	Dcopbp32.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Cmlnpc32.dll	Chgoogfa.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Bgadhj32.dll	Cpedjf32.exe
File created	C:\Windows\SysWOW64\Ohcepmcb.dll	Eofinnkf.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Chphoh32.exe	Cafpanem.exe
File opened for modification	C:\Windows\SysWOW64\Dakbckbe.exe	Dpjflb32.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hikfip32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fbqefhpm.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hmklen32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jiphkm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6636	6216	WerFault.exe	279

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baojaoke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cibank32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkkkd32.dll"	Dlegeemh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e2a9f2ba42bbb9ea0548a679503ea6e26dde63227dd2eeed0b85c961b6434023.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpqikhah.dll"	Chphoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chgoogfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpofpdgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbofkbbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaodjbe.dll"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpnnig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Badcln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clnadfbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdahgfpd.dll"	Cpgqpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genjanmh.dll"	Dadlclim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnfol32.dll"	Baojaoke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bemcgmak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjdcc32.dll"	Bpcgdfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfppi32.dll"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqlqc32.dll"	Badcln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aodldljj.dll"	Clnadfbp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 3496	4296	e2a9f2ba42bbb9ea0548a679503ea6e26dde63227dd2eeed0b85c961b6434023.exe	87
PID 4296 wrote to memory of 3496	4296	e2a9f2ba42bbb9ea0548a679503ea6e26dde63227dd2eeed0b85c961b6434023.exe	87
PID 4296 wrote to memory of 3496	4296	e2a9f2ba42bbb9ea0548a679503ea6e26dde63227dd2eeed0b85c961b6434023.exe	87
PID 3496 wrote to memory of 2972	3496	Behiln32.exe	88
PID 3496 wrote to memory of 2972	3496	Behiln32.exe	88
PID 3496 wrote to memory of 2972	3496	Behiln32.exe	88
PID 2972 wrote to memory of 4368	2972	Bpnnig32.exe	89
PID 2972 wrote to memory of 4368	2972	Bpnnig32.exe	89
PID 2972 wrote to memory of 4368	2972	Bpnnig32.exe	89
PID 4368 wrote to memory of 4924	4368	Baojaoke.exe	90
PID 4368 wrote to memory of 4924	4368	Baojaoke.exe	90
PID 4368 wrote to memory of 4924	4368	Baojaoke.exe	90
PID 4924 wrote to memory of 2636	4924	Bbofkbbh.exe	91
PID 4924 wrote to memory of 2636	4924	Bbofkbbh.exe	91
PID 4924 wrote to memory of 2636	4924	Bbofkbbh.exe	91
PID 2636 wrote to memory of 2396	2636	Bemcgmak.exe	92
PID 2636 wrote to memory of 2396	2636	Bemcgmak.exe	92
PID 2636 wrote to memory of 2396	2636	Bemcgmak.exe	92
PID 2396 wrote to memory of 336	2396	Bpcgdfaa.exe	93
PID 2396 wrote to memory of 336	2396	Bpcgdfaa.exe	93
PID 2396 wrote to memory of 336	2396	Bpcgdfaa.exe	93
PID 336 wrote to memory of 4636	336	Badcln32.exe	94
PID 336 wrote to memory of 4636	336	Badcln32.exe	94
PID 336 wrote to memory of 4636	336	Badcln32.exe	94
PID 4636 wrote to memory of 3008	4636	Bikkml32.exe	95
PID 4636 wrote to memory of 3008	4636	Bikkml32.exe	95
PID 4636 wrote to memory of 3008	4636	Bikkml32.exe	95
PID 3008 wrote to memory of 1604	3008	Cpedjf32.exe	96
PID 3008 wrote to memory of 1604	3008	Cpedjf32.exe	96
PID 3008 wrote to memory of 1604	3008	Cpedjf32.exe	96
PID 1604 wrote to memory of 1436	1604	Cafpanem.exe	97
PID 1604 wrote to memory of 1436	1604	Cafpanem.exe	97
PID 1604 wrote to memory of 1436	1604	Cafpanem.exe	97
PID 1436 wrote to memory of 3928	1436	Chphoh32.exe	98
PID 1436 wrote to memory of 3928	1436	Chphoh32.exe	98
PID 1436 wrote to memory of 3928	1436	Chphoh32.exe	98
PID 3928 wrote to memory of 3440	3928	Cpgqpe32.exe	99
PID 3928 wrote to memory of 3440	3928	Cpgqpe32.exe	99
PID 3928 wrote to memory of 3440	3928	Cpgqpe32.exe	99
PID 3440 wrote to memory of 1432	3440	Ccfmla32.exe	100
PID 3440 wrote to memory of 1432	3440	Ccfmla32.exe	100
PID 3440 wrote to memory of 1432	3440	Ccfmla32.exe	100
PID 1432 wrote to memory of 1500	1432	Cedihl32.exe	101
PID 1432 wrote to memory of 1500	1432	Cedihl32.exe	101
PID 1432 wrote to memory of 1500	1432	Cedihl32.exe	101
PID 1500 wrote to memory of 1196	1500	Clnadfbp.exe	102
PID 1500 wrote to memory of 1196	1500	Clnadfbp.exe	102
PID 1500 wrote to memory of 1196	1500	Clnadfbp.exe	102
PID 1196 wrote to memory of 3460	1196	Cchiaqjm.exe	103
PID 1196 wrote to memory of 3460	1196	Cchiaqjm.exe	103
PID 1196 wrote to memory of 3460	1196	Cchiaqjm.exe	103
PID 3460 wrote to memory of 740	3460	Cibank32.exe	104
PID 3460 wrote to memory of 740	3460	Cibank32.exe	104
PID 3460 wrote to memory of 740	3460	Cibank32.exe	104
PID 740 wrote to memory of 2228	740	Clqnjf32.exe	105
PID 740 wrote to memory of 2228	740	Clqnjf32.exe	105
PID 740 wrote to memory of 2228	740	Clqnjf32.exe	105
PID 2228 wrote to memory of 2304	2228	Chgoogfa.exe	106
PID 2228 wrote to memory of 2304	2228	Chgoogfa.exe	106
PID 2228 wrote to memory of 2304	2228	Chgoogfa.exe	106
PID 2304 wrote to memory of 2520	2304	Cpofpdgd.exe	108
PID 2304 wrote to memory of 2520	2304	Cpofpdgd.exe	108
PID 2304 wrote to memory of 2520	2304	Cpofpdgd.exe	108
PID 2520 wrote to memory of 4680	2520	Cekohk32.exe	109

C:\Users\Admin\AppData\Local\Temp\e2a9f2ba42bbb9ea0548a679503ea6e26dde63227dd2eeed0b85c961b6434023.exe
"C:\Users\Admin\AppData\Local\Temp\e2a9f2ba42bbb9ea0548a679503ea6e26dde63227dd2eeed0b85c961b6434023.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\SysWOW64\Behiln32.exe
  C:\Windows\system32\Behiln32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\SysWOW64\Bpnnig32.exe
    C:\Windows\system32\Bpnnig32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SysWOW64\Baojaoke.exe
      C:\Windows\system32\Baojaoke.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Windows\SysWOW64\Bbofkbbh.exe
        
        C:\Windows\system32\Bbofkbbh.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\SysWOW64\Bemcgmak.exe
        
        C:\Windows\system32\Bemcgmak.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Badcln32.exe
        
        C:\Windows\system32\Badcln32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Cafpanem.exe
        
        C:\Windows\system32\Cafpanem.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Chphoh32.exe
        
        C:\Windows\system32\Chphoh32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Cpgqpe32.exe
        
        C:\Windows\system32\Cpgqpe32.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Cchiaqjm.exe
        
        C:\Windows\system32\Cchiaqjm.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:264
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        28⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        29⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        30⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        37⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1412
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        43⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        44⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        45⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        48⤵
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        54⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        56⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        58⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3760
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        60⤵
        Executes dropped EXE
        
        PID:4496
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        62⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3324
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        65⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1772
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4404
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        68⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        69⤵
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3188
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        72⤵
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        73⤵
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3408
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        76⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4088
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5112
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        80⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        81⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        83⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        84⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        86⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        91⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        94⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        97⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        99⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        100⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        101⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6132
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        105⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        107⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        108⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5500
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        111⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5724
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        113⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        114⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        115⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        116⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        117⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        119⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        121⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        122⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        123⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5756
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        126⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6084
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        129⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        131⤵
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        133⤵
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        134⤵
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        136⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        138⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        139⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        140⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        141⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        142⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        143⤵
        Modifies registry class
        
        PID:6220
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        144⤵
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        145⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        146⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        148⤵
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        150⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        151⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        152⤵
        Modifies registry class
        
        PID:6612
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6652
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        155⤵
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        158⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        159⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        160⤵
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7000
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7084
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        164⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7164
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        166⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        167⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        169⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        170⤵
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        173⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        174⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        175⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        176⤵
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        177⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        178⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        179⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        180⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        181⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        182⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        183⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        184⤵
        Drops file in System32 directory
        
        PID:6504
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        185⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        186⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        187⤵
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6908
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        189⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7116
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        191⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 400
        192⤵
        Program crash
        
        PID:6636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6216 -ip 6216
1⤵
PID:6532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Badcln32.exe

Filesize
224KB

MD5
006b6ca6c728b0789a3d1c785203542f

SHA1
e964951bd752f3f1dae2871726a01bbf865a9c73

SHA256
55b39b9ebe8fe11b4254d333c5bf0ac1c893b84a30f992329251f29a22fffe8f

SHA512
b9bd9910b74b82cedc21ef736f005854600e437c6c3b6a0711dc1a8a035122f2f9501b9f1e6053698ae36ed0f3cf87f0d564bed4e64807a65204249cedb40a8c

Download Submit
C:\Windows\SysWOW64\Baojaoke.exe

Filesize
224KB

MD5
ab3343a56b2bebc4d5b02b2bc2327a6e

SHA1
a7f32b585f9e89f3fc8ee0a80c57f6054e6b0385

SHA256
e6b810a6f1459646245a0d80958848442f8b087d98f6d8bab231e399ff391782

SHA512
e075176be39d7ffdda017068d23e44c5e3e50c60d2909e78726d3b239cda3e80a23404da8aa20e7132aeadc82c42a7d7c4deddacf46a4292d6fc492e0e9368ed

Download Submit
C:\Windows\SysWOW64\Bbofkbbh.exe

Filesize
224KB

MD5
f8d10ca7f7e64323c5796b3cbbcdaa19

SHA1
d958bc2c557e60fdaa8caf265fbc3d2b361cf791

SHA256
d4690d2d3de692ba622f64c8471ed3d703ef269b453cb848c96cd56a85d8aa01

SHA512
f30aa1f130bfe279946d65c1c24629cac21a27a98474abbf1033e3b6f11d5b2501da47e923bcc761cfd5f1d822fed72ad14336f740abc5b2a783325a7423db67

Download Submit
C:\Windows\SysWOW64\Behiln32.exe

Filesize
224KB

MD5
83a28b8fa3147be1bd64f36cb8f8cfa7

SHA1
b27fbb941b025177db11543806ae211acb76b566

SHA256
e59745716ba5a6303405a0ec800129c75d15a53ff0c783bf5c54ce19e489fe39

SHA512
f37793b1c794685e4c8f4958c8a2552ce64f8a024067a1f26a3ef443304a3a6594a4217dd7f51f28391b4cf644d4017d70ab78589529da69581391ed6c00a63e

Download Submit
C:\Windows\SysWOW64\Bemcgmak.exe

Filesize
224KB

MD5
2af7ef52be0f05b074e16360d6bc7410

SHA1
dcb8aad9df21f85bdbc7b8bcebc97b25845319cb

SHA256
b5c7025ced93787bcedef3139cd99777107a26807ee43f44688a1f60be323aa5

SHA512
193aa461b66ddff3e33da39d0b7de714e7de2e7a0467b5820465a3ab6a98c058da3a799ae714ac769e34598188d32987d7a1bb3e7cfc1d152c5cd9b6b93346c3

Download Submit
C:\Windows\SysWOW64\Bikkml32.exe

Filesize
224KB

MD5
b54f68bfa085269254b6dd6da38cafd3

SHA1
50c8875c42c17e8f13791287244cfda1b23ff05c

SHA256
fbce6f47895a55b1a36ad73ab842cdbb95df22fb04587c47691bc2757375eab6

SHA512
86cea024035e507bd4c072fa547e5669817faa8050673e32e6b74bc4f7b8637dfe17eb7cbd26ea0c73c68a3f01884e5c2858f999a255bd917faf2b61226784ac

Download Submit
C:\Windows\SysWOW64\Bpcgdfaa.exe

Filesize
224KB

MD5
80523da04f381d097db5dd1cec183556

SHA1
940d377c6edc2c07943c34ee577bd05e7cf3afd1

SHA256
8de5ce019bcd15e05a1853be33602f05e25c5755bcdffa8b9e125b761c121f61

SHA512
e83beb74f8f6acfb323dbe616a01cac18fbc4df1ef0778f8ea8d11e53de463c4986424581dce5a0d7d49be322b51edfcce69d9d72b6ad6324c06a1d332aced77

Download Submit
C:\Windows\SysWOW64\Bpnnig32.exe

Filesize
224KB

MD5
5df140905236d70895a0d10c35893979

SHA1
0e11b33f4608b125cb081070eacb923a1a293cbd

SHA256
a86bd296bc3229f77becc0fe9e19f450fef68a37ebef37c259d9b55b8eedeb55

SHA512
c5a7a8ce13c093ef3e141422fe2a086670275f37905a047b43a1d14647e96d68078206163684af1ffb12af9800119df5c75f41cc4bfdaff9c3d12b42ebb4e753

Download Submit
C:\Windows\SysWOW64\Cafpanem.exe

Filesize
224KB

MD5
a2e817dd33dabc1959fab68cfabb1eea

SHA1
5cc048acee5bee49630f3937df6e59a01d99d202

SHA256
adfb1623792d4bdb7acbdd98e588dd268c71ed02050dd5096e956092aadbf624

SHA512
33e37f74d4fce5fa39bdbcf3ae2adaa80f1ac08eeb82e74cf12fb6f508f753d3081bbb715332263edf547cb71a076c2d128d090927ad8c2441e9e112747c2c63

Download Submit
C:\Windows\SysWOW64\Ccfmla32.exe

Filesize
224KB

MD5
6007a1da63f9cbdf62b98e247fca97ca

SHA1
52e50f4ed0170bfcd75a3cd7543cd646d2491b77

SHA256
c469d7cfcf80f50bb2860bccc401c4baf0aabd2571948da82c2c16d381e2e323

SHA512
cdd4d9deadbfe546db0723a3cac1572b0612313b2c75067226790b33bb5249ec696f380986ffaceaeaa4e8e7b81364148e5c24db44295afc2a90e737fa25f482

Download Submit
C:\Windows\SysWOW64\Cchiaqjm.exe

Filesize
224KB

MD5
9990c057efc91a90058261140529380e

SHA1
0ff6db84ca26be139c184317be825e93e27253e5

SHA256
0494e80a1ff8c9db4ede3565dcdb815551827848ff4ad10d176271b4ef9c2cff

SHA512
c913167c8a943dce9bf6215919658c22b172dc1b4c3143007f71d22efc72383562c2a333bae55c68478ec56c080a5ca278c03e76a9cb0ebec55cd5c78f2a8ca6

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
224KB

MD5
e192dd611075256817432fc230e7e216

SHA1
341d0efd3ecc1739d675931710964417d114003a

SHA256
ebc5c450bb60535e287911c5ff724324a67c58ed58379a94c34c032fed9ff38a

SHA512
f6d864c0f134e89399c5cfa47b1ec323e8accb38e7473a1b42403c74d846cc7b8e4f1df456bda6e1dbafddf19f3a77da14c6d28afdfc0163a43e9241dc62aeed

Download Submit
C:\Windows\SysWOW64\Cekohk32.exe

Filesize
224KB

MD5
c05730e621410901ddb11809c8351d6c

SHA1
13072fe4ac51c0625561ed8090c09d59364ba995

SHA256
5c33161a8093bcc2df4be396459586e269e042528a6e4b928191e5be92a25647

SHA512
ac62cd1e80d885e0e96227dc0a74d6d10ab3d180c6a9454a339029156fb7edb0172801dd019c0209b38c05a65f2ad9f0ec9f323dba5f11165c95fd255ecb6bc0

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
224KB

MD5
61d07c0c0d19e2cdb541f4a101f4bdb5

SHA1
52a4f9dbfb572052781a032b0f694a17b8a2088e

SHA256
d8de55ccac518fa88db8e01cadc0dda444e93a80ea91f939a95bb6d91471fe26

SHA512
4448b97f12dce9a08d65dbea82f3fb68a2a7c553beb63e934abadc04c21e4b1bdb84267d8de5803bf1fd112fbbd0388b0254a2c6bc005c4a71da2be0fc369cbb

Download Submit
C:\Windows\SysWOW64\Chphoh32.exe

Filesize
224KB

MD5
a5b9e728527d5f3213669a8732524cf7

SHA1
f8f7e34e3621eb5c7ff297c4c433554f6bf5ee78

SHA256
3c1198738d5ed2a795057fbb2253025b03de059ba2ca1c7af7db11af610194f9

SHA512
ef4ecdcb5869feb4a5d521e5b1eb0130ebe738ced82bf3dee30ecc2c66cb9e06b925957682a13de5c7920e053a56e7a74e23dd2f8aa8ab077239309567aae26b

Download Submit
C:\Windows\SysWOW64\Cibank32.exe

Filesize
224KB

MD5
928ec8773e0b94bab041ca6fe9c4bab3

SHA1
db5f5ff3c71729082b17e517bef5de4e168d8609

SHA256
80f8d1b4c6c6a0de307ccaac4ea9575cff848a692252ffc2bad47063a8a3c153

SHA512
33f3056fc3445d7588d693f174f5c36ee414a399e3d80bc932116a75cbbe6c7c71475bf6804e902847405ff5fa45d4c43a1138aae7b1889ccd2840cecdd5e65b

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
224KB

MD5
395c384b27c8228f600090cc761122b2

SHA1
02042d5c87bda076dc65e9a31d94bb0def40364c

SHA256
948c03fca3f5e798a28ba38875bdf107d4aca6e28d223970c8711365910945f1

SHA512
c844d78ec06fdd107e7272e04e650dfabe549360341906bd085a87fbb05df2a11bad6e12049c011971fbf68b138d56c4b9c3362eb8445c0ae55145d94bfbcf95

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
224KB

MD5
45a893ab053ed30b1f9f3107632d0925

SHA1
c4a40b44e054d228b90b9bbe977d56c842dd3dc6

SHA256
a226a2125c6bfa34231753368018524422a41a9d3362f5fda1f3fc1a0aec5d02

SHA512
c02d51b4324a9f1e005f7369ca9560c0fc6ee868024f6b61c90750e1204a8a8287b7735a0771a048c23357e99b257bc1c4d02c49338eb00c360522ee8426696e

Download Submit
C:\Windows\SysWOW64\Cpedjf32.exe

Filesize
224KB

MD5
0f86dbdf676e6211dc07d12d6a9989bc

SHA1
74a4bad77907a848ba3afedab7e7f019d39722f3

SHA256
02e52af55154609f4496f679237f79924380b6209c7dff290f6c7eda8acc8a82

SHA512
f411b5e624a7cba98964450ffc8ddaef39dd0b1568bc96d432e38e690a3276af7323308fda19d265725d14479d4589f8976b4a306d541edfcdeda114b5931576

Download Submit
C:\Windows\SysWOW64\Cpgqpe32.exe

Filesize
224KB

MD5
8467b4e71fdfc2b32be87f0e518d1bd2

SHA1
fb22cc3096e010218efdc6d7dcccc15a2f11d55f

SHA256
e4dcfaba8a385f32f2bcbc99e31aa1eba72361a4dd27aae0fe8bf5bc3151942e

SHA512
0200a910aadb25dd08cbc189eddbaba1b04677b21a2ab62d21de42b21acefa21ec454d1b542251fa0745a247a614c11043acc38079ddec4fd66cbc5d13075417

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
224KB

MD5
6c34086710f261d769a5a7613eb46567

SHA1
f1a7be0609b726685354885a6ab42e7a91d6f6b4

SHA256
3fe0e7180036b66c42950c0a9fb0125bc564ecd0bc8597793214231697e8939f

SHA512
6251e751f1f4d6c5aaa4503212169940c4461e3219401881d69c471e6d019e306e210896458bce18ed7173639c51919dbb12443238f5da4f000a398d44207d9c

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe

Filesize
224KB

MD5
72be5e4feef876bb81d274aea34ae6ce

SHA1
b3ea8ada445478b6df00e4b544dd0f4e84ff51b4

SHA256
e0941109ad378cc5b26e438f202249fe38c06b31fb5f5f0a7182b297a930120b

SHA512
0c9e387beecb46ecce34290a2e3e4087dd9148798d57cb76ca3b6fec02c4db6d141954877de3560a2c4e7bd05f7c3dac10f081ca796a769852f4ba6940c711fb

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
224KB

MD5
5fdb54c8f1c83bf85f269dea3924edcd

SHA1
ad91101465ca2f2f1b573838f45e39314ee51a16

SHA256
d5a63d1e307a37022567cbac193048c764c2ea37a686801be4b74539594e0d2e

SHA512
f84e58a3a09c19f7846ac6062f3856de4eab0e9c025c2b9707c9aa9c935149a43ca64041b367659c093a40df61db9e850f989de9dab296eb703172ed18955a29

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
224KB

MD5
134fcad3d119732feebcbecd799f4de0

SHA1
3fdb75bbda16656d25996acd5ac5fb0720d603b0

SHA256
e02b76ea1f6e3788832b66a439adbad30e48c6be98a08398344cdf720acc9b24

SHA512
47c1d7824a116ed23e534b8e3602524856272ef69da12ca62804f513f0ced214605358bba44749466fd34f519d522ddb7bafb2e18b27cf73c8e2cf955661147b

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
224KB

MD5
075563600e257003f01c86dea520eef4

SHA1
ce5307857ca8e1926ee5996c9a27ccc6eac8df45

SHA256
10f4a325bd80b6cfc849a697a2edc6f8deb3ef77a7a03adfe249378668a1ed64

SHA512
79e8238caa8880bc804e482c66264f5980d09b77ff25912d8c89939c095731c1f888921dc20c6f6f51fe73cf0613f500293ebb7a4a5536fda483e89f93c21545

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
224KB

MD5
2f98123ca431a1029b072944760157b9

SHA1
68c15d88453af4060a56dbe4d407d4dddbc2beea

SHA256
1553738ef23d91a15e823e58ae45ff38ff2f39e77767a80c9a94bde40ab512d7

SHA512
21341b86e2a60e174a84cc8a01b7797887e7f7f764b3bae75ebb2201bd4d9563070c5d751120d8193a2c571da6a130af0ed32226db53ba5153dcbd341666344e

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
224KB

MD5
9e7f56d62f6fe06498b9f7e7454e31b5

SHA1
7a0a1d68b9ec45ef317a8b5c8889b85c703a6da2

SHA256
4ee1e4374c07b04662656ba82b3401dade54d215dd18071be4b7012e154b0f1c

SHA512
486a21092952b9d59f148c3dddffcdd16990d4cee5a21c58cb12e5cbfeac03ca285296703ebf0fd0cc6f89b8cb04d462fb983fe5f20f5b72c13f660ac6973a8a

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
224KB

MD5
4d463ab56edaca94812243491f256156

SHA1
48779c8abaf3af17cc4eca493d68e380e62a90cf

SHA256
7e2bdaaa5114018dd28a9df9176e1b46b70488a2341badcb943f84772c5bab27

SHA512
ae45ca7f048bb3179e6c3aeb6052b4b9347f1766f472049d8f36b1345e1f1f1adc7ac7a5805e73871e50fb1c9f93fa9880f15104a7dc02f21be8b34cd3571d56

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
224KB

MD5
48e044e46a864e57a51e654638c4bcf8

SHA1
0406e540b03a92948f4f92bb3b0aa21ad8dd1eb5

SHA256
dab1fe575aeb621917fc3a9c286eb3514eb0e4d3554d8ccf70fedf363544a5d3

SHA512
4099cf402f62163c5502498cf77747181ae421b2546886c25d73f31cbc996ba6ada0bcca9b3b13880acf83a9fb3d2d23670b3d4a8dd233c15d887d8da419c449

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
224KB

MD5
b77704f6bac6052c05a0206103aca27b

SHA1
57c5189b0b174832de03a13e53b86699c4e66a76

SHA256
aeaf3439cc50a320ef9cc59cae6fe90026b174e7ec08df0128e50882ace9cf3d

SHA512
f4d93f557d322e6ad7611a18bc464cb8c27b9dac8f30879b42eb27709092604bc7c829d577c8d36964ebedd99c5c0a2f93325a0c27808268c9fdfb13da26e908

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
224KB

MD5
5b2c432658911aad7f834d8faf2835f0

SHA1
586679eb4a573349787b96546192147eaf21fcc5

SHA256
d5feb35d94a7d4b145f414065da811278e6ce30a0bf9126c8f55c9cce01976a5

SHA512
9a3da32bf3d629e382ebefbf83e3c6f1800e41d703faa002312b0dbcfc600930aff06b8f492f23d2f90ac4846c795746a3ccbefe436887be343f6f8dfb2c3c87

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
224KB

MD5
e950940be50b20302ed07a300a888212

SHA1
0aaa765f4f8b75a074abfbb8749234106d6c18bb

SHA256
9a2dc0fed3e90fbd4f96236a657c4ed0d0fe63f781494ec598c67d1d99237e84

SHA512
6cb9039b460addfdc4ecc2c30be2e7b42207d6730fc08e70c6ab51034ca7f3294d3a2f32c2e7fb032d226da9370d0549c8dd1f5563c55ce43c1ae7249ad75175

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
224KB

MD5
f93cf7e99736b3b94f9a38d6c94bf515

SHA1
cc369680d100fa4549c5ce16910425add79afe9c

SHA256
24f06e755b3f06cceff9b742da57b81a7e16112a1f84d25f7cc31e4b133c544a

SHA512
0039d89c415df8149d0f099015a098b6f86fe4b35e2ed2af9bbe06a251af9599f9812fabc39ea797d9c407ca1e6fe68d93f19d4a4d7c05b98de2a07498dad74f

Download Submit
C:\Windows\SysWOW64\Imihfl32.exe

Filesize
224KB

MD5
e8846d6fd07d79265737d0c8b2ea4e90

SHA1
93189a0e4c70443e4027c03d7dddf7b618c0ea1a

SHA256
71f48a98741a4b73371968ff74fc0c7107285605a490101ad20e3c5258d4b795

SHA512
7f13260bd94fecd402b4d84f956ddabf0760165b16c2cdc9254587719a7c2ec66c2eb58873848e6a28a8de1281362ffaa362a6f6cf29fbba22d27bc664ac3082

Download Submit
memory/264-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/336-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/680-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/740-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/820-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1144-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1196-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1316-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1380-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1412-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1432-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1436-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1500-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1664-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2228-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2304-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2360-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2396-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2584-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3116-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3264-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3324-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3440-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3456-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3760-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3928-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3956-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4000-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4176-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4324-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4332-373-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4568-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4636-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4664-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4680-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4708-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4748-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-404-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads