31c5e5ef8e5bf2ae3864c7ae86f51e3847707d4a99ca8002f398c72fbfd8aef2

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31c5e5ef8e5bf2ae3864c7ae86f51e3847707d4a99ca8002f398c72fbfd8aef2.exe
Size

59KB
MD5

da79d01290048814f8b5239250a996be
SHA1

614641258b061a4f851667dc804abf074ef09150
SHA256

31c5e5ef8e5bf2ae3864c7ae86f51e3847707d4a99ca8002f398c72fbfd8aef2
SHA512

2e48c3474e6f102b59c22ed85105ebdfd742b80752bbe892845ff85a48850c7ce2c174a42767a5336235347be15f39906ca8b74f396ede2beeb3102b138fb7d6
SSDEEP

768:0ss07gsAvvu04KV/oeEx9LJ/ruX/yQ++BHsHiZ/1H5D5nf1fZMEBFELvkVgFRo:DkjugoeE7Z6PyQPBHsYHNCyVso

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cakjmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpjmee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpljkdig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eleplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjfgphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djnaji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe

Executes dropped EXE 64 IoCs

pid	Process
1812	Chbedh32.exe
3576	Cpjmee32.exe
1044	Commqb32.exe
3428	Cakjmm32.exe
4684	Chebighd.exe
864	Cpljkdig.exe
2032	Ccjfgphj.exe
4916	Cidncj32.exe
2748	Clckpf32.exe
1964	Ccmclp32.exe
4656	Digkijmd.exe
3032	Dlegeemh.exe
772	Doccaall.exe
3512	Denlnk32.exe
5016	Dhlhjf32.exe
3284	Dofpgqji.exe
4412	Dadlclim.exe
4032	Djlddi32.exe
3272	Dljqpd32.exe
1632	Dohmlp32.exe
2036	Dagiil32.exe
1692	Djnaji32.exe
3212	Dllmfd32.exe
4848	Dokjbp32.exe
3476	Daifnk32.exe
4144	Dhcnke32.exe
2284	Dpjflb32.exe
2580	Dchbhn32.exe
1144	Ejbkehcg.exe
4304	Elagacbk.exe
1836	Eckonn32.exe
1600	Ejegjh32.exe
840	Ehhgfdho.exe
3264	Epopgbia.exe
4252	Ebploj32.exe
3112	Eflhoigi.exe
404	Ejgdpg32.exe
3176	Eleplc32.exe
3836	Eodlho32.exe
3104	Efneehef.exe
4628	Ehlaaddj.exe
4552	Eqciba32.exe
3752	Eofinnkf.exe
1396	Ebeejijj.exe
1660	Efpajh32.exe
1372	Emjjgbjp.exe
4932	Eoifcnid.exe
1392	Fbgbpihg.exe
4040	Fjnjqfij.exe
4588	Fmmfmbhn.exe
4472	Fbioei32.exe
740	Fjqgff32.exe
1476	Ficgacna.exe
4140	Fqkocpod.exe
3204	Ffggkgmk.exe
4344	Fifdgblo.exe
4392	Fqmlhpla.exe
1784	Fckhdk32.exe
1408	Ffjdqg32.exe
4856	Fihqmb32.exe
3572	Fqohnp32.exe
1132	Fobiilai.exe
1748	Fbqefhpm.exe
1428	Fjhmgeao.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Eceakm32.dll	Dadlclim.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Cpljkdig.exe	Chebighd.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Dadlclim.exe	Dofpgqji.exe
File opened for modification	C:\Windows\SysWOW64\Eckonn32.exe	Elagacbk.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fbqefhpm.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Ficgacna.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Diefokle.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Habnjm32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Emjjgbjp.exe	Efpajh32.exe
File created	C:\Windows\SysWOW64\Gameonno.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Hboagf32.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Imgkql32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ffggkgmk.exe	Fqkocpod.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Dofpgqji.exe	Dhlhjf32.exe
File created	C:\Windows\SysWOW64\Lfmige32.dll	Dagiil32.exe
File created	C:\Windows\SysWOW64\Eodlho32.exe	Eleplc32.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Dagiil32.exe	Dohmlp32.exe
File opened for modification	C:\Windows\SysWOW64\Efneehef.exe	Eodlho32.exe
File opened for modification	C:\Windows\SysWOW64\Eqciba32.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Oeahce32.dll	Goiojk32.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Plbehnol.dll	Digkijmd.exe
File opened for modification	C:\Windows\SysWOW64\Dchbhn32.exe	Dpjflb32.exe
File opened for modification	C:\Windows\SysWOW64\Fbioei32.exe	Fmmfmbhn.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Ejbkehcg.exe	Dchbhn32.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Epopgbia.exe	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7224	7068	WerFault.exe	296

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chbedh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Denlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Denlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clckpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dljqpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkakml32.dll"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhbep32.dll"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmebabl.dll"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eleplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cakjmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkccjejn.dll"	Chebighd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jbocea32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 1812	4340	31c5e5ef8e5bf2ae3864c7ae86f51e3847707d4a99ca8002f398c72fbfd8aef2.exe	84
PID 4340 wrote to memory of 1812	4340	31c5e5ef8e5bf2ae3864c7ae86f51e3847707d4a99ca8002f398c72fbfd8aef2.exe	84
PID 4340 wrote to memory of 1812	4340	31c5e5ef8e5bf2ae3864c7ae86f51e3847707d4a99ca8002f398c72fbfd8aef2.exe	84
PID 1812 wrote to memory of 3576	1812	Chbedh32.exe	85
PID 1812 wrote to memory of 3576	1812	Chbedh32.exe	85
PID 1812 wrote to memory of 3576	1812	Chbedh32.exe	85
PID 3576 wrote to memory of 1044	3576	Cpjmee32.exe	86
PID 3576 wrote to memory of 1044	3576	Cpjmee32.exe	86
PID 3576 wrote to memory of 1044	3576	Cpjmee32.exe	86
PID 1044 wrote to memory of 3428	1044	Commqb32.exe	87
PID 1044 wrote to memory of 3428	1044	Commqb32.exe	87
PID 1044 wrote to memory of 3428	1044	Commqb32.exe	87
PID 3428 wrote to memory of 4684	3428	Cakjmm32.exe	88
PID 3428 wrote to memory of 4684	3428	Cakjmm32.exe	88
PID 3428 wrote to memory of 4684	3428	Cakjmm32.exe	88
PID 4684 wrote to memory of 864	4684	Chebighd.exe	89
PID 4684 wrote to memory of 864	4684	Chebighd.exe	89
PID 4684 wrote to memory of 864	4684	Chebighd.exe	89
PID 864 wrote to memory of 2032	864	Cpljkdig.exe	90
PID 864 wrote to memory of 2032	864	Cpljkdig.exe	90
PID 864 wrote to memory of 2032	864	Cpljkdig.exe	90
PID 2032 wrote to memory of 4916	2032	Ccjfgphj.exe	91
PID 2032 wrote to memory of 4916	2032	Ccjfgphj.exe	91
PID 2032 wrote to memory of 4916	2032	Ccjfgphj.exe	91
PID 4916 wrote to memory of 2748	4916	Cidncj32.exe	92
PID 4916 wrote to memory of 2748	4916	Cidncj32.exe	92
PID 4916 wrote to memory of 2748	4916	Cidncj32.exe	92
PID 2748 wrote to memory of 1964	2748	Clckpf32.exe	93
PID 2748 wrote to memory of 1964	2748	Clckpf32.exe	93
PID 2748 wrote to memory of 1964	2748	Clckpf32.exe	93
PID 1964 wrote to memory of 4656	1964	Ccmclp32.exe	94
PID 1964 wrote to memory of 4656	1964	Ccmclp32.exe	94
PID 1964 wrote to memory of 4656	1964	Ccmclp32.exe	94
PID 4656 wrote to memory of 3032	4656	Digkijmd.exe	95
PID 4656 wrote to memory of 3032	4656	Digkijmd.exe	95
PID 4656 wrote to memory of 3032	4656	Digkijmd.exe	95
PID 3032 wrote to memory of 772	3032	Dlegeemh.exe	96
PID 3032 wrote to memory of 772	3032	Dlegeemh.exe	96
PID 3032 wrote to memory of 772	3032	Dlegeemh.exe	96
PID 772 wrote to memory of 3512	772	Doccaall.exe	97
PID 772 wrote to memory of 3512	772	Doccaall.exe	97
PID 772 wrote to memory of 3512	772	Doccaall.exe	97
PID 3512 wrote to memory of 5016	3512	Denlnk32.exe	98
PID 3512 wrote to memory of 5016	3512	Denlnk32.exe	98
PID 3512 wrote to memory of 5016	3512	Denlnk32.exe	98
PID 5016 wrote to memory of 3284	5016	Dhlhjf32.exe	99
PID 5016 wrote to memory of 3284	5016	Dhlhjf32.exe	99
PID 5016 wrote to memory of 3284	5016	Dhlhjf32.exe	99
PID 3284 wrote to memory of 4412	3284	Dofpgqji.exe	100
PID 3284 wrote to memory of 4412	3284	Dofpgqji.exe	100
PID 3284 wrote to memory of 4412	3284	Dofpgqji.exe	100
PID 4412 wrote to memory of 4032	4412	Dadlclim.exe	101
PID 4412 wrote to memory of 4032	4412	Dadlclim.exe	101
PID 4412 wrote to memory of 4032	4412	Dadlclim.exe	101
PID 4032 wrote to memory of 3272	4032	Djlddi32.exe	102
PID 4032 wrote to memory of 3272	4032	Djlddi32.exe	102
PID 4032 wrote to memory of 3272	4032	Djlddi32.exe	102
PID 3272 wrote to memory of 1632	3272	Dljqpd32.exe	103
PID 3272 wrote to memory of 1632	3272	Dljqpd32.exe	103
PID 3272 wrote to memory of 1632	3272	Dljqpd32.exe	103
PID 1632 wrote to memory of 2036	1632	Dohmlp32.exe	104
PID 1632 wrote to memory of 2036	1632	Dohmlp32.exe	104
PID 1632 wrote to memory of 2036	1632	Dohmlp32.exe	104
PID 2036 wrote to memory of 1692	2036	Dagiil32.exe	105

C:\Users\Admin\AppData\Local\Temp\31c5e5ef8e5bf2ae3864c7ae86f51e3847707d4a99ca8002f398c72fbfd8aef2.exe
"C:\Users\Admin\AppData\Local\Temp\31c5e5ef8e5bf2ae3864c7ae86f51e3847707d4a99ca8002f398c72fbfd8aef2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\SysWOW64\Chbedh32.exe
  C:\Windows\system32\Chbedh32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\Cpjmee32.exe
    C:\Windows\system32\Cpjmee32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Windows\SysWOW64\Commqb32.exe
      C:\Windows\system32\Commqb32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3428
      - C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        24⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        30⤵
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        32⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        33⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:840
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        37⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        38⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        41⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        43⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        44⤵
        Executes dropped EXE
        
        PID:3752
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1372
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        48⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        49⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        52⤵
        Executes dropped EXE
        
        PID:4472
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        57⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        60⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        61⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        66⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        67⤵
        
        PID:760
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        68⤵
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:756
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        70⤵
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        71⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        72⤵
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        74⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        75⤵
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        77⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2632
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        80⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        81⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        83⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        85⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        92⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5364
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5404
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        95⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        96⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        97⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        98⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        100⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        101⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        102⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        103⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        105⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        106⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5948
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        108⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        109⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        110⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        114⤵
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        115⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        117⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        118⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        120⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        121⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        122⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        124⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        125⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        126⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        127⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        129⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        130⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        131⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        132⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        133⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        134⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        138⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        140⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        141⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        142⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        146⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        147⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        148⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6148
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        150⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        151⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        152⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        153⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        155⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        159⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        160⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        161⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        163⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6796
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6832
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        166⤵
        Drops file in System32 directory
        
        PID:6880
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        167⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        168⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        169⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        170⤵
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7080
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7120
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        173⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7156
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        174⤵
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        175⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        176⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        177⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        178⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        179⤵
        Drops file in System32 directory
        
        PID:6492
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        180⤵
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        181⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        182⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        183⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        184⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6912
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        187⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7112
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        190⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        191⤵
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        193⤵
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        196⤵
        Modifies registry class
        
        PID:6932
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        197⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7148
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        199⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        201⤵
        Modifies registry class
        
        PID:6620
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        202⤵
        Modifies registry class
        
        PID:6820
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        203⤵
        Drops file in System32 directory
        
        PID:6948
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        204⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        206⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        207⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6352
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        209⤵
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        210⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        211⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7068 -s 400
        212⤵
        Program crash
        
        PID:7224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7068 -ip 7068
1⤵
PID:7200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
59KB

MD5
08b6929dfc3584fc65e00a8b2ae4262e

SHA1
518fa90ba040d1698017ec270b455bb39b8a8421

SHA256
abaf7f2c6778721dfdc31192e9e71531a86615c3c7acbc27f1005a5cc9ae520e

SHA512
8b5e5197bf23aecf048c14237b2fcaf5f0b3136afe1e2f155df14a18c32176af3487f7bb2f16182b5d8c9ceacee513fd44279c1a2342729870ff7cb215a67373

Download Submit
C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
59KB

MD5
2e6e2cced3b536a16972a1dc808ff7a0

SHA1
408ba5fc5601f54d326e50ce9eefba78ff70eef8

SHA256
9d88b82465dd3e6a464653a0dec0143f5279bb6b28bd8e7f28d9c9fe3421b547

SHA512
8ae152fd6ddfcc0a22c1d395dc1bc4800cc182d284aaf211822eb166fd5cc8302848423e096501c605b2d286972ee8335fdefa71554abb7970e3c853c4cb2610

Download Submit
C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
59KB

MD5
cf87c33c3e6a4908e4b05a85a95aa6d4

SHA1
4884966af6242cfd773cef87a91d3a284c80305f

SHA256
e24d33affb66566ce895b0ef7b49151bed5b40adcd8b3394a7b7f0dc6b8ad29a

SHA512
c1e810d634b0e628b3a23a8403ac6fd26bb2f48777e764e17978ac5aabc42aa8b86b967df31b152632d93544dd874e4a3c6d1dcd6b3814db28539082b5d179ba

Download Submit
C:\Windows\SysWOW64\Chbedh32.exe

Filesize
59KB

MD5
4f7d2ed272900c174992dca4d2e1ebbd

SHA1
aab361e13a08ae3f03cc72dba2c14286c01c2ee8

SHA256
54193f26cdca13cbab761556cb19510b9a176abdf8d82aed3ba594c0c7bd6d30

SHA512
48c61e0c5570cfa57336242befa9fb83fffd536b99da674e01b8629f26147728c4c02fe34c31ad6a016a6d3e6bad3eeb7d867831b30316242d2020ef8d8824bc

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
59KB

MD5
06218916fc84ab666dca206199575a9c

SHA1
0a66582bfcfef47942c6fa0feee1713914572e7b

SHA256
6154009f324bb96888e7cf23e0cbdfa4e962a13c129e7ee03fc0ad670224422b

SHA512
a71dc621b16b58d897c042bc8979147093f0848180276860689c4e1ce74143c36c70f5a001f6b170906308444e84b396438ad0eb9bad64500891a569d96a0e1d

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
59KB

MD5
8a49e66509f70ecdfa3beef7636c202b

SHA1
1b3672118ba60e56887f5d0208122edf83949378

SHA256
c0c2d74a08bca01eb89512edce164f0bce5841849f80bccb9d664bb0ff7aec2d

SHA512
db11aec1ac164e309320c061a4bd84e822b91153f32e82f959b5e0fa4c45698e3f4075e3e2c486ab0d4e8c7eb07e153be8fa7fdf7ba146a5b00737831aff1202

Download Submit
C:\Windows\SysWOW64\Clckpf32.exe

Filesize
59KB

MD5
386779548eed9a91fcc894afa7d831ad

SHA1
0de8b1a8c11e3aeea1462819761c0c23ed4a05ef

SHA256
2b7f2fcc05e949214bd5d640537334c1ce75ae50d27af541570305fe9ac9ac6e

SHA512
622a2bfbdbf0c8ed48837af062236023aac42784b4151a1eee46c8f417f9fd782c9784791db8cac6542725d49259a3866bb87567d3f9b7ccb8229b9dee94c93f

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
59KB

MD5
f4d737c3a59368de5f593c7b1ee7d98c

SHA1
9e78e8266a1c9eac22a6ee55e6e0d02ffa430174

SHA256
35a4884623538e08f78c0b6abb46d0a389d82140e4cbcd968297f0be027a9e2b

SHA512
a14eb61018ea2e4da5c33a9a48f3a73dd2b9d69b5bffcf43667b2e26644c3981b1361b52ed5786e3564006e12bb7db7e7f3ea10b5325efdc99834c90b2bd9fbe

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
59KB

MD5
ce7d526baf571729a83355eb2bf345bd

SHA1
d900edfdcd127e9a6b427d227f496097e60b632b

SHA256
c3172cd1aa890f179c1f2e6da80703f783d548c8997cbd589f7c8e1f1e9a0bf9

SHA512
429d54f7cd82619c2f00f236552db54822fbccf09e2d008d67d2055cd1026bd1f49546853a7b8ebb8578d9dce37cfdb5e7a519dbe110d9ace498dc022fc0651a

Download Submit
C:\Windows\SysWOW64\Cpljkdig.exe

Filesize
59KB

MD5
fe9816686aadce925a8d1ad8f401687f

SHA1
287287631ceab448a4e2cec1a9ae23d53b2dab6e

SHA256
c01166656dde3287a6ef5cb0fa3dd66ef0f9ccf5f41d89ddf3ba12dc206cc411

SHA512
f75a3601571c19fb0b2f53af35ac6bf656c845bd114a8cf4b20fc7db07afbde0a73779faedb0b970c2950c548f04f7e0cf384c5c7d1caab7751a1ae97a8cd56a

Download Submit
C:\Windows\SysWOW64\Dadlclim.exe

Filesize
59KB

MD5
4612c0e14ccfd949a97918b326145948

SHA1
29ee045597c9c81c85caa7edd812d542758f7aa3

SHA256
b15a6249cc55e90ced3dff3bf8550740938b383f70cff58ccaa91a74c3a82aee

SHA512
bcdabf790245a4a6c0b03afb88b93bd23742d6f189e9e35e9a4f12679e517ddfc3c19bc8c1f938ff8bbf257c9a04c1f4599a210f55b66a2cd990d692448104b4

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
59KB

MD5
80e2073eeecc8f7b0bc8ee368aa61f8a

SHA1
fe1f18dae7f7fd739f269200aa8354592a0a0d13

SHA256
f7be96ba661b788f6b340ac9ade8929fa0c4d18a59fbe5b152e5c601c5fa01b9

SHA512
946f7983c13d4fa7b43917db24151234121b731e93df890594604e0b0bf140ce926730897cabe257b18f8402a1cda3339c3aadfdfa5f5ae03e70de094ce9b695

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
59KB

MD5
00b201ead8daab1c22f50fe450097927

SHA1
ffe17c12fdbd825202134dee9113ce30989cfb9c

SHA256
a24dd472fe772b3020852266e236fa306ace0e4c33255830a8a24b03845ddfa4

SHA512
a8fa352ff65dd827fb9e1027dd6bd1d8bebbc1d5a30fdf22f0db8d656848ffcfa1ace41e24f54c94ebc2c4d54df8a109da67e28d4292475b6e4ce435b5c37916

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
59KB

MD5
48b39149b0e5c677da456deb376df8b0

SHA1
603527e192ea0477c37e66e640d9a9f4c160baf0

SHA256
d754a74be599fc7cbb0a1fdf43658c362c4af102cedfd3d454f1a6edf2d6bd77

SHA512
4615602ea78e3a248874cea9ac334900506929f58656448da61817088e20418c2b51d6fb1761823dd7eadf66b140dd65f4277fae24294e0254a2005c956f41dd

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
59KB

MD5
7089f0811f9ce26589885182aa0288a4

SHA1
7e6b91e7046b42ee869ff232036739d023e14cfc

SHA256
ac60cefbd2b877e82b7d715f042c1bd316db89125e4d82bad7dda9254a43cef2

SHA512
7a05e95bb92d0cf5797583be4e475e104cc0869dd544467e89db2ba8f2d7f71e70398cb6baa1155f6126ad298fa35d3971b0e08303292c29a10710a4343e61e7

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
59KB

MD5
f964d5c48b518316a6ca0a875f9c3c5d

SHA1
d1eb38ee5a9dd22cb692cca7201e86ef685c295f

SHA256
4fc74ebea309dc5c513beb3403f2c30c44014dba85292d593d5953f1e1887c30

SHA512
f6afa9835c5d1c89705ef9d52dc9b4e2957b5121d5e44ac08098d3b9fba4be563e25c54aed3bd5735f92c5dff6dd3ca9ec717c08b660c737a7acb43ace98b2ea

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
59KB

MD5
ff395641b70d451622899b650eeca5f5

SHA1
c85f168d5817edcd858e94033193383786a8ab89

SHA256
8e5b6640d23ca6bc1b4a2e0250e3423e3b2e0f03d766fb18e2971c12bbb8f347

SHA512
0f4176d55124177bf12a55cc3cda690250657e6502807ce94deb9319655f5d7bb33703229861bb3992dcf677c07a6f391b76c18f9daef67682fd15a36d426793

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
59KB

MD5
4f1f6377c9ffc383f24811d6229d6386

SHA1
08365f2ec49b2e1f4f1d0f547dc73b451a2770c4

SHA256
f63b7ea12c5accb8fb1edd74ca31453d74751cab1635a237c3e73c8a518b746b

SHA512
c5c5d5b2f42efdd85837e68460b3ac76a412187bb9b76148f818fe51cbd1f89dc3d39295ef70bc9ac7480a90765cdecc8790de47258544c7db4379ebf97f3f0b

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
59KB

MD5
1cb47cd859029e7ee2b8a7c47a8073b3

SHA1
f2c4fb143dca226cfb83d1318db6517eb3c6cc9b

SHA256
1176ede7f1746f518fc7f416ac92bc2b8e683a23e074e8abe992ea15d5625624

SHA512
35bf81e0a31d8110dcb1741ed4ee7e8478169f6ac249278493114d868e8b2c2b995845966a4b9a11d2be8c609b7e86f1146af2792b2e1a97e22b343ba2d4e59f

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
59KB

MD5
f9cb00b0e610a57fd719b0185513b450

SHA1
5e8ad428e33aa04c05071c744999e9ce2f8ccc8e

SHA256
d3413901b1e0bf6058711d8ba93e47b4cf1cea3c1f013ce3cc20f1446af87fe0

SHA512
a56fa4cc9ba9ba35a8565154b7619d5d43fc14737643af71646b203cd763799fc4385e2e7a0efd2e2baae7779d213beb0aef9aa5c89e1b69155a855f0d59e674

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
59KB

MD5
c86ab097217d1e66b92e1b95286e9c0e

SHA1
29f95545fc1047e39ef68d597766f4a4572feb13

SHA256
638bea3872fea44dfb25bee8a57d08b3657639cfa0b8d791dacc49e8b552d9ed

SHA512
ac79b7207f7ce36ff0f7767b3e2b983988c902f315a04852decbd748170882ff30f4b8aed7d3b90eee28f9d4d3a57c302103d556558e11701fff6486dbd5f05d

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
59KB

MD5
615089fd97a0131243d61a6a055f2e89

SHA1
82946ec236648e919d335b81837825c8cba0c2ca

SHA256
63115ff90aac19ba5168daaf87eda47f1107d4206e9c479145feec9077bd68d8

SHA512
a86a8129799c8b6afc9561822d3c6b1fdcf85decbe7e9e195b28fb3c3f0dc5770c2d52c8406bf7595a2377e065ae1233772d0683376bd4cf5b20980cdbde7840

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
59KB

MD5
dff60f1c726d5f2a48453a2459302355

SHA1
92058db4c2e81641df003735090136ea49f35dd1

SHA256
c86b11d855e1138e5a0ed0245005ed4542236e41ce105400efa0dd373c65070d

SHA512
5143b92bbc35f20eee0093dd632730c0ec03480fde754c3d4a32b2de988f255f3b213fd1ed1e9412466feee432c744fecff335fd8826ef9a8bc9e387d617a362

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
59KB

MD5
0c20854251d5af0685ad6fc0f35ebc18

SHA1
2be00ee2b6e6a63bd4fa52d739ad7555a6bef187

SHA256
e471f50a810091244c30088e914753cd74276711b98c2db54f34a500d1a94916

SHA512
20034d574a287be81233283bead2502405793816ef6ca8e01c2bf55b10bef13136f44270496ec6f6aa5db5d6e2e5635bb660706dfd562f8c1d2e8e4acaf807dc

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
59KB

MD5
1ec778c0bb6435adea4e6ca84486b399

SHA1
a39a33d1be87a46784d12066a0f3cbfa6494a317

SHA256
83580cf9e9815549091140972468f6e2fa456de72685c01cdf4a16691476e909

SHA512
2a0d6ee8f7ac0036cbb2cba64b89cb818f5e8083dde5f2249862f1db4d1c09f6fb833f1ad25636aab9eca5f457121b13d54fc029961290c5e7298584eca09eb9

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
59KB

MD5
fa1844004596955f1ba5c09ee99311fa

SHA1
be01d6c666751645b63a48c5560b20e6e9d95096

SHA256
6d65611b88fc0008c418835e6bbbabccfe2f644af31ac207ee597640fed365fb

SHA512
e17bb8a7dcdcf47226a35bf8904be8c8f7525fefcf7298fb17953d9008219c9cbd70d523f4f20be3ae3500e9197b5ad00b6273c4730277dc22e5fc0f24655ef2

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
59KB

MD5
f599dc5e48282ab4f00f30c0f163d146

SHA1
533156007244379c4b939b8e8c5c780f3dd90c1e

SHA256
d3b0310871ee6278d3ea020df77c6d0c3b7a1e5a0255f575ebb4bf02d102332d

SHA512
d3af34ad24e3b3e59246f6ce5a4beef6e5889db9cdb501ec15edfc1bda890241fe180dc06dd9f2fae1869b7127751a0856140c65932864200654eac0b5c41392

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
59KB

MD5
93f86ab46740bb6abc85d77001f551a0

SHA1
247a6b9424d91a8954afcf2dffb2a49acae39bf0

SHA256
f99c7d9c128309e513afb3d919b1aaad79561850ac5aa3b9b4e9e6b7be4730ca

SHA512
7ae65abe19f16b46539e6c39f48148e4a6bb49b4f13567cb132d3d3e56f5c696fb30868b87cd2abfdac14de43d2a13304939df7c9d04176701f721fc257aa1e8

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
59KB

MD5
0359710e4087a62d5226f3641ade88c9

SHA1
cf7bebd7bc4b891700e2cfd62cab0c61caee7e98

SHA256
3d04e57a1cd09e503826fd1202eed9b9735790b3b3bb42c9675d79419e70ea74

SHA512
23edc94b2e32e0101ea855bc5796822fcb3d2f6e3b5808393eefd0a506e6835d60a19d66b755dfa5e71856b5b23cd154b3c87c5e81bded1cb18232a18f46dfa3

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
59KB

MD5
340b08f241b70b9276088e451c53768f

SHA1
45e7dafeba2d3df933989ba79e4734160d2b7d6b

SHA256
4599227043763a8df0c004e494ac2356cf800198ef01eb12b91b00fd017d8987

SHA512
9fa7389a13a326e50bce0dc115b7ca98bdd268e6c40223fc33bedbf7c277361215325ac13bc0849fe38c28296d4b74a8f493c1c35f16afa824e6bffa08e2b800

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
59KB

MD5
81d4875e864d956109e0871424e37d7f

SHA1
fa7a57b9ba897102afde5c3c3a2f1e74998eff9d

SHA256
e728ef32719fdefd45cdf410b30b7412fe3d242e6931855ecf54ede3ce852887

SHA512
8879f34d417be4056011705d1bee71a3cb925e388c8f1ed6ac8758847faedbd3a8247612cb6afe26a03a7451666a9c93e47173795f2d385b7f78c50e7ab8911e

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
59KB

MD5
4f536f15c6b4983f65c487ab19256300

SHA1
7865b58933af9d54829f4b1e4954244d6f87259a

SHA256
c2e5e0dd6f170de73dcf84286ff872ca0943b0ddde26e48077ceecd7abc6aa39

SHA512
a52d94384b2305c7aafd4e6dcc17194f15c3fcf889bb424900ff3fed0ec6f3f58982f6b8698dc5531d0c134d4f5c228564d3019cf0b659dffe15f219df15bb45

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
59KB

MD5
09e926cdf7d92135e3d62079cf5d9f4b

SHA1
4411697699f8568087ba3a8d4e1ea8c40e5ca284

SHA256
afa2fca4be1feb578417d4e24164012aafbedb3591cae56b1ede3265a07d4931

SHA512
b0e304bac4e434f030a48824daf5f9b950cd5941b693e297e4978ed3ee69164955cf3abf1a7c0a736cc906fe70d98231cca471b1137315f6d2149a2ce35663ea

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
59KB

MD5
013d226616351e5e1a9a4be73275c4b7

SHA1
3774f188443dac3a9883cebe548e7476cda65c8b

SHA256
b10e843b1ff69886e0f7a722f31dba6d7cbe65eec45078fbb97cbcda69ef9b88

SHA512
b0064bc8cb2bb599a1e7b7c9db8160ab34c75fb4f57de6f8016f70b24eb734d70ceafbde70f7c218d5c92680322f9a35c8ea1cb3c55d465f477ed3d05af2e840

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
59KB

MD5
0ca7b9fa28cb6a0aaa92b19d4b122fd8

SHA1
2534f37cbb3ef452023bff1f38c1e04cd2572397

SHA256
9868bb62d6ee4d08dd19897cc64447b72d407ebcd99283c5d27fd7f2fbc22d29

SHA512
ba9349e2a70838f6de477ad1e8ea6217410b14a502ae3f9ba697aff833343f299f57ca2f72e75e831758de7e66eff8e9c45e3d5f1a165ef922c1b480df98bf50

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
59KB

MD5
b0d79495556171aeea71c3e5f17aa034

SHA1
305470dc96fb3e0cada559b20b6432834b5e4506

SHA256
a3fb82104b26f6ec0846f6149773e0d8bdb519b4116d060b71ca6cda164924e8

SHA512
1b3580e0af8048aafc3e1505ad195575b1ee96d15fc2c1a0695ef16907fe5dc48247dad2a70ea2de2195fc822054089403f8c3b66825016084ff6d6f2385db34

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
59KB

MD5
245c10f447736dafe6a971aa42328326

SHA1
702163ccde2a4192b0aceca3ccd37179790a8715

SHA256
0323c84aa116aecd35c310b42a69d9302c003765b2e266b157bd069412d10f82

SHA512
6d732682d924547aa8637d666cd83db756af9407df8cdc50c26fa33b70c47e2e3a17bda4dd950bd13d48f60ffa1940ddff8a68501b1d8b44ab8fc2c92ee87b08

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
59KB

MD5
93ac0443a79434d66cdbe4db290ff546

SHA1
ae92ed268e4fe6bb56940a822a4d28f9a198f34c

SHA256
f0f16f93c0c7edac7a7f3308b058a682340247864f49f46f1bb944903c744ab4

SHA512
449a007ea7e7ec3eab14a0067dde23d4d95a6f2c73251207db81e1f324a98d15c0919b290f62e26b06d1c7a845ba1f9ed4eb0cbc949c3ae12111537c04ad8217

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
59KB

MD5
7fdafd976f712c9026db52105ffa321e

SHA1
db72db403da6678ee93ed65b4bf6216f0c4af790

SHA256
2a4ab92a46dd6f04e2c3b61f77be1618d4f21762e008baff45af920c0bdaba78

SHA512
83f622564c0f51b916694516d703df6d5ccd918778ad7d8246223250faa4497b18b1781195980c7451673b13ac90a69803d4f42f7da6e6aace8311de547d7cd0

Download Submit
memory/404-285-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/740-374-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/756-467-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/760-459-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/772-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/840-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/864-47-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1044-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1144-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1372-339-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1392-351-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1396-331-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1408-415-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1428-443-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1476-384-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1560-461-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1600-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1632-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1660-333-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1692-176-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1748-437-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1784-413-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1812-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1964-79-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2032-56-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2036-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2284-220-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2356-453-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2580-223-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2748-71-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3032-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3104-303-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3112-279-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3176-291-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3204-392-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3212-188-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3264-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3272-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3284-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3428-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3476-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3512-112-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3572-430-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3576-16-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3752-321-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3836-297-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4032-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4040-361-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4140-386-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4144-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4252-273-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4304-240-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4340-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4392-403-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4412-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4552-319-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4588-363-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4628-309-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4656-88-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4684-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4848-192-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4916-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4932-345-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5016-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads