6466f905decfb55e52361ecb5115271e92a8194aadb107d3fbc42b32a855bc68

Analysis

max time kernel
147s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6466f905decfb55e52361ecb5115271e92a8194aadb107d3fbc42b32a855bc68.exe
Size

144KB
MD5

83ea8dfb789d0172fc27debcfaf77576
SHA1

2ffec5cb67e94656ad2678cbdcd1346cfff280cd
SHA256

6466f905decfb55e52361ecb5115271e92a8194aadb107d3fbc42b32a855bc68
SHA512

f9676d34da47b8305309bff4f7dd35b5690aed086351b5cb3af16ba5311965e8b3cbfd1db4ad138052767a6d767d9eaf910eff80f35cd08ce82c299694af90b8
SSDEEP

3072:3uCYsUYL8wsiVTgzL20WKFcp9jRV5C/8qy4ph:3RYQLhBgzL2V4cpC0L4D

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chbedh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dagiil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcikolnh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blennh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doccaall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camfbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Badcln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejbkehcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpqjofcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccfmla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhjkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecphimfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe

Executes dropped EXE 64 IoCs

pid	Process
3404	Bekfan32.exe
3568	Blennh32.exe
4828	Bpqjofcd.exe
4480	Bbofkbbh.exe
4396	Bpcgdfaa.exe
1336	Badcln32.exe
2016	Bikkml32.exe
1948	Clihig32.exe
2468	Cccpfa32.exe
4652	Cimhckeo.exe
652	Cpgqpe32.exe
864	Ccfmla32.exe
792	Chbedh32.exe
4796	Commqb32.exe
2108	Cakjmm32.exe
4708	Cibank32.exe
4792	Clqnjf32.exe
2976	Camfbm32.exe
2400	Cidncj32.exe
856	Cpofpdgd.exe
2608	Capchmmb.exe
4712	Dhjkdg32.exe
3820	Doccaall.exe
556	Dabpnlkp.exe
2996	Dlgdkeje.exe
3936	Djlddi32.exe
3640	Dagiil32.exe
2120	Djnaji32.exe
3604	Dphifcoi.exe
4212	Dcfebonm.exe
2068	Dhcnke32.exe
4296	Domfgpca.exe
3144	Efgodj32.exe
3356	Ejbkehcg.exe
3892	Elagacbk.exe
4956	Eoocmoao.exe
3208	Efikji32.exe
2156	Epopgbia.exe
2760	Eoapbo32.exe
4084	Ebploj32.exe
4628	Ejgdpg32.exe
4892	Eqalmafo.exe
2188	Ecphimfb.exe
1500	Ejjqeg32.exe
4488	Ehlaaddj.exe
4472	Eqciba32.exe
4996	Ecbenm32.exe
4092	Efpajh32.exe
2384	Ehonfc32.exe
5044	Emjjgbjp.exe
1968	Eoifcnid.exe
1692	Fbgbpihg.exe
2800	Fhajlc32.exe
4044	Fokbim32.exe
4948	Fbioei32.exe
3908	Fjqgff32.exe
3808	Ficgacna.exe
4252	Fmocba32.exe
376	Fcikolnh.exe
4912	Fjcclf32.exe
1028	Fmapha32.exe
3616	Fopldmcl.exe
4504	Fbnhphbp.exe
3212	Fjepaecb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Efpajh32.exe	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Hfdcbdnc.dll	Ebploj32.exe
File opened for modification	C:\Windows\SysWOW64\Dhcnke32.exe	Dcfebonm.exe
File created	C:\Windows\SysWOW64\Fobiilai.exe	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Lcglnp32.dll	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Djlddi32.exe	Dlgdkeje.exe
File created	C:\Windows\SysWOW64\Cibank32.exe	Cakjmm32.exe
File created	C:\Windows\SysWOW64\Dbppbgjd.dll	Dhcnke32.exe
File created	C:\Windows\SysWOW64\Elagacbk.exe	Ejbkehcg.exe
File opened for modification	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Pakbej32.dll	6466f905decfb55e52361ecb5115271e92a8194aadb107d3fbc42b32a855bc68.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hmioonpn.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Icnmgkke.dll	Capchmmb.exe
File created	C:\Windows\SysWOW64\Fjcclf32.exe	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Hdgohg32.dll	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Chbedh32.exe	Ccfmla32.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Hpenfjad.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Fmapha32.exe
File opened for modification	C:\Windows\SysWOW64\Ebploj32.exe	Eoapbo32.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Dcfebonm.exe	Dphifcoi.exe
File created	C:\Windows\SysWOW64\Eqalmafo.exe	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lkakml32.dll	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Fbgbpihg.exe	Eoifcnid.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Eqciba32.exe	Ehlaaddj.exe
File opened for modification	C:\Windows\SysWOW64\Fodeolof.exe	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kagichjo.exe
File created	C:\Windows\SysWOW64\Eoocmoao.exe	Elagacbk.exe
File created	C:\Windows\SysWOW64\Cmlnpc32.dll	Cidncj32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Commqb32.exe	Chbedh32.exe
File created	C:\Windows\SysWOW64\Bppheeep.dll	Eoifcnid.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gbldaffp.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jbocea32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7832	7744	WerFault.exe	312

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpofpdgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlnpc32.dll"	Cidncj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhjkdg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cccpfa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epopgbia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dagiil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaj32.dll"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clihig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Commqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbofkbbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpqikhah.dll"	Cimhckeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jokmgc32.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbjbq32.dll"	Bekfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcepmcb.dll"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcfcpdf.dll"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmige32.dll"	Dagiil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoocmoao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnhno32.dll"	Ccfmla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbofkbbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkdqfii.dll"	Doccaall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcfebonm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll"	Fbioei32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 3404	728	6466f905decfb55e52361ecb5115271e92a8194aadb107d3fbc42b32a855bc68.exe	86
PID 728 wrote to memory of 3404	728	6466f905decfb55e52361ecb5115271e92a8194aadb107d3fbc42b32a855bc68.exe	86
PID 728 wrote to memory of 3404	728	6466f905decfb55e52361ecb5115271e92a8194aadb107d3fbc42b32a855bc68.exe	86
PID 3404 wrote to memory of 3568	3404	Bekfan32.exe	87
PID 3404 wrote to memory of 3568	3404	Bekfan32.exe	87
PID 3404 wrote to memory of 3568	3404	Bekfan32.exe	87
PID 3568 wrote to memory of 4828	3568	Blennh32.exe	88
PID 3568 wrote to memory of 4828	3568	Blennh32.exe	88
PID 3568 wrote to memory of 4828	3568	Blennh32.exe	88
PID 4828 wrote to memory of 4480	4828	Bpqjofcd.exe	89
PID 4828 wrote to memory of 4480	4828	Bpqjofcd.exe	89
PID 4828 wrote to memory of 4480	4828	Bpqjofcd.exe	89
PID 4480 wrote to memory of 4396	4480	Bbofkbbh.exe	90
PID 4480 wrote to memory of 4396	4480	Bbofkbbh.exe	90
PID 4480 wrote to memory of 4396	4480	Bbofkbbh.exe	90
PID 4396 wrote to memory of 1336	4396	Bpcgdfaa.exe	91
PID 4396 wrote to memory of 1336	4396	Bpcgdfaa.exe	91
PID 4396 wrote to memory of 1336	4396	Bpcgdfaa.exe	91
PID 1336 wrote to memory of 2016	1336	Badcln32.exe	92
PID 1336 wrote to memory of 2016	1336	Badcln32.exe	92
PID 1336 wrote to memory of 2016	1336	Badcln32.exe	92
PID 2016 wrote to memory of 1948	2016	Bikkml32.exe	93
PID 2016 wrote to memory of 1948	2016	Bikkml32.exe	93
PID 2016 wrote to memory of 1948	2016	Bikkml32.exe	93
PID 1948 wrote to memory of 2468	1948	Clihig32.exe	94
PID 1948 wrote to memory of 2468	1948	Clihig32.exe	94
PID 1948 wrote to memory of 2468	1948	Clihig32.exe	94
PID 2468 wrote to memory of 4652	2468	Cccpfa32.exe	95
PID 2468 wrote to memory of 4652	2468	Cccpfa32.exe	95
PID 2468 wrote to memory of 4652	2468	Cccpfa32.exe	95
PID 4652 wrote to memory of 652	4652	Cimhckeo.exe	96
PID 4652 wrote to memory of 652	4652	Cimhckeo.exe	96
PID 4652 wrote to memory of 652	4652	Cimhckeo.exe	96
PID 652 wrote to memory of 864	652	Cpgqpe32.exe	97
PID 652 wrote to memory of 864	652	Cpgqpe32.exe	97
PID 652 wrote to memory of 864	652	Cpgqpe32.exe	97
PID 864 wrote to memory of 792	864	Ccfmla32.exe	98
PID 864 wrote to memory of 792	864	Ccfmla32.exe	98
PID 864 wrote to memory of 792	864	Ccfmla32.exe	98
PID 792 wrote to memory of 4796	792	Chbedh32.exe	99
PID 792 wrote to memory of 4796	792	Chbedh32.exe	99
PID 792 wrote to memory of 4796	792	Chbedh32.exe	99
PID 4796 wrote to memory of 2108	4796	Commqb32.exe	100
PID 4796 wrote to memory of 2108	4796	Commqb32.exe	100
PID 4796 wrote to memory of 2108	4796	Commqb32.exe	100
PID 2108 wrote to memory of 4708	2108	Cakjmm32.exe	101
PID 2108 wrote to memory of 4708	2108	Cakjmm32.exe	101
PID 2108 wrote to memory of 4708	2108	Cakjmm32.exe	101
PID 4708 wrote to memory of 4792	4708	Cibank32.exe	102
PID 4708 wrote to memory of 4792	4708	Cibank32.exe	102
PID 4708 wrote to memory of 4792	4708	Cibank32.exe	102
PID 4792 wrote to memory of 2976	4792	Clqnjf32.exe	104
PID 4792 wrote to memory of 2976	4792	Clqnjf32.exe	104
PID 4792 wrote to memory of 2976	4792	Clqnjf32.exe	104
PID 2976 wrote to memory of 2400	2976	Camfbm32.exe	105
PID 2976 wrote to memory of 2400	2976	Camfbm32.exe	105
PID 2976 wrote to memory of 2400	2976	Camfbm32.exe	105
PID 2400 wrote to memory of 856	2400	Cidncj32.exe	106
PID 2400 wrote to memory of 856	2400	Cidncj32.exe	106
PID 2400 wrote to memory of 856	2400	Cidncj32.exe	106
PID 856 wrote to memory of 2608	856	Cpofpdgd.exe	107
PID 856 wrote to memory of 2608	856	Cpofpdgd.exe	107
PID 856 wrote to memory of 2608	856	Cpofpdgd.exe	107
PID 2608 wrote to memory of 4712	2608	Capchmmb.exe	108

C:\Users\Admin\AppData\Local\Temp\6466f905decfb55e52361ecb5115271e92a8194aadb107d3fbc42b32a855bc68.exe
"C:\Users\Admin\AppData\Local\Temp\6466f905decfb55e52361ecb5115271e92a8194aadb107d3fbc42b32a855bc68.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\SysWOW64\Bekfan32.exe
  C:\Windows\system32\Bekfan32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\Blennh32.exe
    C:\Windows\system32\Blennh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\SysWOW64\Bpqjofcd.exe
      C:\Windows\system32\Bpqjofcd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\SysWOW64\Bbofkbbh.exe
        
        C:\Windows\system32\Bbofkbbh.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
      - C:\Windows\SysWOW64\Bpcgdfaa.exe
        
        C:\Windows\system32\Bpcgdfaa.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Badcln32.exe
        
        C:\Windows\system32\Badcln32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Bikkml32.exe
        
        C:\Windows\system32\Bikkml32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Clihig32.exe
        
        C:\Windows\system32\Clihig32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Cimhckeo.exe
        
        C:\Windows\system32\Cimhckeo.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\Cpgqpe32.exe
        
        C:\Windows\system32\Cpgqpe32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Ccfmla32.exe
        
        C:\Windows\system32\Ccfmla32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Chbedh32.exe
        
        C:\Windows\system32\Chbedh32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Commqb32.exe
        
        C:\Windows\system32\Commqb32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        25⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        27⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        29⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4212
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        33⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        34⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        38⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4488
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        49⤵
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        51⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        55⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        58⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        59⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        61⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        67⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        69⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5088
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        74⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        75⤵
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        76⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        77⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        78⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        79⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        81⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        82⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5328
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        85⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        86⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        87⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        88⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        90⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5656
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        92⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        94⤵
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5824
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        96⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        97⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        98⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        99⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        100⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        101⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        103⤵
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        104⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        105⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        106⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        107⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5548
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        109⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        110⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        111⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        113⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        114⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        115⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        117⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        118⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        121⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        122⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        123⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5224
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        125⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        126⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        127⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        128⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        129⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        130⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        132⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        133⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5376
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        135⤵
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        136⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        137⤵
        Drops file in System32 directory
        
        PID:6212
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        138⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6304
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        140⤵
        Drops file in System32 directory
        
        PID:6368
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6420
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6472
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        144⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6796
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6876
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        151⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6968
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7028
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        154⤵
        Drops file in System32 directory
        
        PID:7064
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        155⤵
        Drops file in System32 directory
        
        PID:7104
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6156
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6276
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        159⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        160⤵
        Drops file in System32 directory
        
        PID:6468
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        161⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        162⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        163⤵
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        164⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        165⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        166⤵
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        167⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        168⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        169⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        170⤵
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6492
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        172⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        173⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        174⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        175⤵
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        176⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        177⤵
        Drops file in System32 directory
        
        PID:6504
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        178⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        179⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        182⤵
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        183⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7092
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        185⤵
        Drops file in System32 directory
        
        PID:6824
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        186⤵
        Drops file in System32 directory
        
        PID:7096
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        187⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7248
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        189⤵
        Drops file in System32 directory
        
        PID:7292
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        190⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        191⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        192⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7456
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        194⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        195⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        196⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        197⤵
        Drops file in System32 directory
        
        PID:7628
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        198⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        199⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        200⤵
        Drops file in System32 directory
        
        PID:7748
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        201⤵
        Modifies registry class
        
        PID:7796
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        202⤵
        Drops file in System32 directory
        
        PID:7844
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        203⤵
        Modifies registry class
        
        PID:7888
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        204⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        205⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        206⤵
        Drops file in System32 directory
        
        PID:8016
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        207⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        208⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        209⤵
        Modifies registry class
        
        PID:8144
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        210⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        211⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        212⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7276
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        213⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        214⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7404
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        215⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        216⤵
        Drops file in System32 directory
        
        PID:7532
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        217⤵
        Modifies registry class
        
        PID:7580
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        218⤵
        Modifies registry class
        
        PID:7652
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        219⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7744 -s 408
        220⤵
        Program crash
        
        PID:7832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7744 -ip 7744
1⤵
PID:7780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Badcln32.exe

Filesize
144KB

MD5
7ffadf0163ddbfdecbcce2a5a07fc313

SHA1
27ee445b26ce67b64cfa8df0b36ba74dbde5036b

SHA256
b6f404031e484f64e8922cddfa680a1d4e9b2f3cfec731594b348e0790575988

SHA512
316b16621c14b83daddf53f55a53a4e57b219e3ec7c90ca4efb5ba52a8cc3bc00fbbef47d48a7768d5a2102e8536c80ce2e894ff44671cd16230ca70ae4404d3

Download Submit
C:\Windows\SysWOW64\Bbofkbbh.exe

Filesize
144KB

MD5
b5edc940fa1ea6049ee7b575dab5d4f2

SHA1
97709ae557d530af741b09da30dacf1cbf2da3a8

SHA256
b80c06a0c5a32eb97bc4b79c223a9e4cee058ba7775bfa326cfdcfc49b216cb3

SHA512
6a934e40ee7a39ffca10113e39984dc6079f018e3fba76e256d86d2a0f58105b1a69ba31f6417e78fcf787610e4f2ffdf94f379f9e0a5d8cc7b54263d0b21030

Download Submit
C:\Windows\SysWOW64\Bekfan32.exe

Filesize
144KB

MD5
eba70a33e9c95ca1c7525757e39c9b82

SHA1
060fb40409dd496876aac3b40b908599548f4cb6

SHA256
4eb8a2d4e5689598bc3b4fa299dce24fd77ce502d4fba6428aaa7eb7b1cf251f

SHA512
c8b3fad0a9a9f90fc92fdafaae5618aff91e7b3d9ba759469542509bda15eb2c4bf8133c6da2bf640880ed9d19f134b1390c3b045a3aa7abdd154d34ade41e87

Download Submit
C:\Windows\SysWOW64\Bikkml32.exe

Filesize
144KB

MD5
f26ca40315dd0bd094c66c870f1afe58

SHA1
9f1db0f3d469b7cebace7524e904ebaa822caeb1

SHA256
12bb7964fb55b61e7fee020c072f9f858c01318518b3ef0caf71f91a6fc0bd80

SHA512
85c64fb2b942ef14e3297b8ed3ccbe4de9691f26663bdad5382af1020d8aa84df3a7507736b301865bbe171180e09458cd2ace0e53113809e54d7508484b3a5d

Download Submit
C:\Windows\SysWOW64\Blennh32.exe

Filesize
144KB

MD5
a111e90de09b0de303922d24bbc399d4

SHA1
c267bcac3911b53c86327ba00c44943386d94833

SHA256
ce89eda250471f69c6e3a2ab4978d64973810a91888c2cd2a7fe3619be5849e0

SHA512
a4da61699f634269bc7a41150331f9eea5216c98eec613124240c9577de815fe332bfd4abc82534358faa2d667d51074d12a47d001e7ff37eac6075da3fd9afc

Download Submit
C:\Windows\SysWOW64\Bpcgdfaa.exe

Filesize
144KB

MD5
4b84c3829238a34f4121003476d09841

SHA1
d21399d7332f2e0caf2cf5915b36957f8711a6c2

SHA256
ed44c907b0e67156bb8635d4bcb394756942cac9da0e4baee9869caf0def908e

SHA512
74d6403ba2d373923ca6134888c65453065ab53d637d11dbbe3f55814dca2a557065084a40c34440a7f7469735e9b941ee6c1bbc38bacb7a6f10a0b99fdd3958

Download Submit
C:\Windows\SysWOW64\Bpqjofcd.exe

Filesize
144KB

MD5
39e6be72bcf17cee26c6ebcae735e120

SHA1
e9c81ce6c498fa704c7e2455aff733505737c8d1

SHA256
adf4c151a548ce488a6d824c9bcf3cf58fc4ceb9a644b8359df0aa9f74cdd49b

SHA512
040e62b1856953dc79f0dee7307772036c51422cfdf0bcb8385ac434f644037191cff87e184215610e9751c1d0b4eb8d5b25513293633fad588b7a63f58125b8

Download Submit
C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
144KB

MD5
b9371ae1700756b08e778b899788b9d5

SHA1
eaec37051d9a77434b47bedde5e0b014295d4082

SHA256
36a8d00558d0f9a52a0b37eca8fa29c1f985b053610818184aef398611696b8b

SHA512
9ecd65d39433fd2a5a518ac7ac687b8405b37a280249a25ba29900e5474487c549c915cdf5e1168c0773e2fae5e653fddbaff8f9b5bad70dc4ebcbe477131ddb

Download Submit
C:\Windows\SysWOW64\Camfbm32.exe

Filesize
144KB

MD5
693d46409c3d0b958afd7f2e6cdb2166

SHA1
baf070173ed7fa8ca83fa64fec4efbd622a3e1d4

SHA256
d11b4855ef70eb184fac9df5a6c2f7d1b3c9f83f80b6a1542c403d15c6a08ccf

SHA512
4d84c48fd33c9631afad78364d409c35df5ab612f401593db7183b34dca41610bed0f3d49d401ec818eff5472c6cb0e106a6ce7173fd4490966946916116a6e4

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
144KB

MD5
2b462f591f83e17a894b83261a9b2514

SHA1
f446c8970fb26e9384b8e83a3926e1cc4bf22339

SHA256
01d145c9c1937b13361b165f1598e6724d0005f28c0cdb5377b851f4f004cf3e

SHA512
ce1c32331cec74b3a20b8152795122115b856a219c4371fc74351b14256e8e20db7caab25d16afffd99eeda14dbacf584f7b4310d8ef28913c9d74b7eedac4fa

Download Submit
C:\Windows\SysWOW64\Cccpfa32.exe

Filesize
144KB

MD5
2866f6a6299b34c0bd848132cc7a04a0

SHA1
9b2d9c3efa1807b164926a247aac524010be6326

SHA256
e4253772095cdd4c9f8a5c6800905a614b1d51e50d6f31b7f6b0f56cf392ca0c

SHA512
6db9629966d2072b2405febe161d49ff6ce7f947fcc21a4eb070f440c9e0688573fe686e16e3df26165c551746f9114edea697cd61117bffc38e551a7707e3d6

Download Submit
C:\Windows\SysWOW64\Ccfmla32.exe

Filesize
144KB

MD5
dcefe52c15a72b17b61ee0e514dba7f4

SHA1
79c8061204562face191856c3b891fdeec687b0f

SHA256
2c5d873a62d9f1ebfed694c4c4e9b4ffe0171a07a870bf00b328843c5ca15bd1

SHA512
f8b623f398c0f31dcd75d65e08059f2c45cd450f6afc831e420ff5be84787800da76c4b2cfb1ae72d373928245b92d655c1adc05104a6e2144f1e22681e32a1f

Download Submit
C:\Windows\SysWOW64\Chbedh32.exe

Filesize
144KB

MD5
3a0bcceb0cfb0e0715cb2cd1f386a6cd

SHA1
5f695c3aa5bd15d6b038bd63a27880bd86271ea0

SHA256
ffb5928d0dfe5d584ca5495131900ca87c5f238c5f29c410c11a0e571c8cb28c

SHA512
e3eb3b68b5e7c1a530db82c227e74ebe6398461f1cfc6e9c4692358e7eee298fabcbd3fb398a23cb7c0529528f5e07bb14447ea3a044f004588db3732e626da5

Download Submit
C:\Windows\SysWOW64\Cibank32.exe

Filesize
144KB

MD5
1032ee3c4034ba9c833af5bbe8e34b24

SHA1
98cdff340c5365f2da1dedea34c992b6ed22874d

SHA256
0c7756d99c4caba14bc85e35f694e4d944269435498ea8b3e404ec07500f5033

SHA512
e66252645d0056efd9e5b51d91122da05944cc39aa1b8a77a40e609c368c558d2b36ed3832e412788ae9140ca0230d3419e57c28caf96e5b052c7f9aa3ade515

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
144KB

MD5
e2301a6faa55665898e38e6686d45337

SHA1
0a0ce1ac7d7d46fb1844fb960a50d729f21115fe

SHA256
c4923c497e5ae66e8e4ea09908bd6eea95a573c2b92fbb7217e23515fa2d25fb

SHA512
0572389e1a25e813e822e5ccadc0d2112973d2aac445672bbdd674a6ef76c8c5e0ec76a537efff610e46694ffb38a1c850c0b8b8ec88ce7177f81fac362da0df

Download Submit
C:\Windows\SysWOW64\Cimhckeo.exe

Filesize
144KB

MD5
421fa173aaf0206d9e91308dfd6810e9

SHA1
edb5eaeb4c3e0093af3fe2ef82e8ccba2c90f1b9

SHA256
d87ba8e3039761cc2eb2a87bcd6f1b2fd5cba3033af51e6eea2f0a4fada7ce59

SHA512
d825480a4007738dc6e70801bba970c5b76a61b45f970eadcc63ddc1e578e66aa6f7ff4c4dcbc68ee0786873c0779f623c7e85384dc731411c810ed82639a966

Download Submit
C:\Windows\SysWOW64\Clihig32.exe

Filesize
144KB

MD5
bb28553a64d3aef2796b6ab104644fea

SHA1
b7b60f694f5c7337acb36475bfa6befda482e9bb

SHA256
a4a46d6de32f58869f697e14431992a4d2b156514b89b0ec7ac39f957bf9b807

SHA512
c3c2c6b1e2880d6656166d7278d0672968e14f035ed122ad39ac5886eddfdaf03a48b57feab0da618596ec59e708e5c3efeaf219b6341efed3fbe934f4ff7568

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
144KB

MD5
53464e704ddc0e2f09c8804a3b430d5e

SHA1
29baa71da15d46fc1556fd58c8e8fdc5b061bde5

SHA256
6b8667b5147238d8583fbd0e6f3ee2727ff5d77313ef88141e4f17458e106d16

SHA512
1d7f2116d0b2b0a0a9261850996a54d071840333e183c00b2408d7ed4b3daaa792db688413b3eefc5fd0f0059affa7fe0dde18c5212f18690d1bd90627fee38b

Download Submit
C:\Windows\SysWOW64\Commqb32.exe

Filesize
144KB

MD5
ca98aa74f00ac6ea5a568609848f93cf

SHA1
cfc77a96f770c8c7d91b7afbd88d20be928c6778

SHA256
ff7a02d4adc8820190039fd7e868e26e39f41576f101f86aad0108399626d908

SHA512
e55d1bb3abf362ce6047328c224ffed8a87d020ea4cb9f945c9a736ae5579240780452ec2514c0842fd27f3db8d4a5b4c58c3748a736fbe732bae1d2d934f803

Download Submit
C:\Windows\SysWOW64\Cpgqpe32.exe

Filesize
144KB

MD5
d909c566efc3a9e675249f0abf291a94

SHA1
2372804a3ea2de8cd733392bf360ec1d61752dcc

SHA256
c8edab7dc3473d1b408c6bc6ef25ae3d7be7a30d9e114b68d33ea45ab60dfbb9

SHA512
fe02d3b481ab59b64726e02b6da72be95d5a3c8ddc5f7b49789e3b1107dd2d6e9c60c48645bcc901f6db31db8f3a78c98dfd2d46af597d485762e86c96ac8bb5

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
144KB

MD5
dbfed4b83cef4b3fced5b28474aefa21

SHA1
93677cd9d21bbefebc2b021ad413d56fddfcbe51

SHA256
e765e984ef4c3de4b04c2f6f9a9db70ab48871c49e2a5d4dfdec500291ee9194

SHA512
5c12e249b8dfe9fcc156fbaeb5b581ee29e83588ab4033fd965ece310d7f37a182cd7d6cb5610eed3b44ae42e474cad52485d406fffe7fd775000d99c29c7331

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
144KB

MD5
66ef161358bd6d8eddd7bdb3f879d02d

SHA1
9519bcd41417a9421286f408daf9b29345bbdab8

SHA256
3e66634c72aba0b8462fe8386085b04fcd146801cd14b0735fff68cc18bf3a03

SHA512
6d1734e38519df9c3d7965dc9fb07a32d0d6f9a394e24abcc9d7f25a0585eda277fa4a3f750ca22b7f6e849133c8d90c3d0f055e31d1adb8b77d512d3e139f2b

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
144KB

MD5
430202560536c1c4f8f4378dff5edf4a

SHA1
9f4007f48b957846c0a019fd25b6c4ff7f6ae1f7

SHA256
521ded2f6bde310603fb8301cdfd2d9493cedeed52a4e2ec990c560202a5d138

SHA512
79637963ad44ebcae0236b2236a488e7c5a6f45ed5b2cb701b1c993b3974fbf54a7cc9d296f72e306a48f0313f1726c83c78dd4e89ebed57f5218049f87b8555

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
144KB

MD5
a3224f9f2bf3690f9a79acca904cd1d9

SHA1
f6bb1732c6d6a394ebd97e7570101c5b9c28ffa4

SHA256
adb6401a6b1e9ac4234fcb062ff012406832502fbc49fb44695db49867ed466e

SHA512
8c52f39b9dddcfc22b8b38224ae4765ff25d83a9e9acf51d2edcc948264261dfed733558bc4c9fa87b0b5d16be498507aae1569f2567bf0c2747b6eefc34a7d9

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
144KB

MD5
5d426397e5e2cbc021aa4e3cfbbf5c8e

SHA1
b7ba2eca081d57282fbb3c61139b7855b21678f6

SHA256
95d3596f84414ceead18301032e8181ae953043da47256f1f8e442d1796147d4

SHA512
8eebf285f9546bea476d00b3bb60ecbbbb19abbc524c09f1bfe3cd887dda6ab60b9c05544ff88d4d5ffd22cf004607b7c55c54f394caed3d9f57bd8fe4194d67

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
144KB

MD5
a83c68be1977cf3aa73fe07289c82c29

SHA1
20ad83bbb94b2cc43b8c961004ae2e15639a4303

SHA256
f1da2a2a09fb5adf667d08ead63022c4fcadbb99d6a9c8a10ae0ee6cf0ff764b

SHA512
bb73544cf93788b217329f2ec90098a530aa22969d70cca24f4099faa667613ccfd97db673e442d93d23d684fd20a77ba1187cb445de9f8428267e449c5626f7

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
144KB

MD5
ea6a011f11798a3dd008c680946b80ca

SHA1
ea1ca200252f730244e6ab72e04e070ec7622939

SHA256
f47bf7712109fac0ff241aa120cec25274777fb86b543d172ba1b325b138229c

SHA512
37a150a88d575a022ab1ee1fede8fd6c2e0e70f9aeff03da85e9b65bc585e465f2cbff8a346b9ad226e85d22d21757661043a9ce3b3c88b1f495fa1d5ef35775

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
144KB

MD5
4a294e95a188240dfe35a813d11491e8

SHA1
291700c8e2f722f36b9d4898efeef3fd5098280b

SHA256
63b9616d08d1666b342178ada132117255c1f2fdcfa33e954ba19ecc2b250690

SHA512
caa6d0207d1e4905d7468f9827c4be94a4d0770a6db8f8db2503764a5042da5aaa5de301b094988c7771c98cd909c9fb9c9d352ded829f2f313a512c5ab3720e

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
144KB

MD5
882786fa1f989bb72d86a1ec7e388eaa

SHA1
888fa5acf1f21d735b5df8e36fcc52759959e60f

SHA256
c655ea280592978501bad97e82038f9ddf9401dd16cc328023413edba010612a

SHA512
56d5a7a9d63e48940dc9abcadb82cdd1916a19fbf5cfe2d151f80c4b365a24828c5b992181f42afdb2153a51720ece4b47460fcd498d06eb62931c64771b7032

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
144KB

MD5
73c1ae0bd73bdb9a20695bd8c6b9d097

SHA1
d02b5a03a3a2c94470306c22c9828f0d6b34ea6e

SHA256
c277eb93bf2383f7f494aef08f86a63d625f45a1e631fda998eb2ab9964f433e

SHA512
851522b34d7ef039eb240b39ac0a579d9c074d132168c2c2fe2980ccf39abf4a85956ab3fc7c00ee4a18929462d79f2670013ad93a5d8c2cd599f313ffcd07e4

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
144KB

MD5
87b0ebbdc02d00c4579dd717fa345d47

SHA1
be404dc9b6f2f415e6ba4b6736f81e65af6cc1a5

SHA256
44776de3753784618ad7327c2df45c928e51a8420d0a8f2eb0b89fcd6c8d2c8d

SHA512
9736ad137a1d22f9728c2cf225ca7ab09070c764e2e75e5dfd4d98d4871b79db73fdc5624eb97ca976c818d33999e18b5cb5eb012eb5545478c5bb4da98b90c1

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
144KB

MD5
2a897266f4b2cd5cf266c958c5178d9f

SHA1
06a5b2a4e15efcc22b970de80325c90f0289b124

SHA256
80d5c1dff7605ff28c4d9a536ca6cfb3a59725744f0c9e2d98515afabd0f2ca8

SHA512
6cad5ad024bffc04bfde5532925abd29b844e2b25804e7c86fe1370ca67b34801f718b593188b3e14c07680c2dc386a298881b8c0bb9b06100058a4b3dd6152e

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
144KB

MD5
5f3dbda8f5f5d9b94db3b0333e516264

SHA1
d0cdfc9edef82c8c239581abb1ad1c94f7606882

SHA256
1e7da4f02b59fe805e8af7ce9f5fdaab9fff814a9d37c724a678386ae47e5965

SHA512
944645a84fbd9b81432fb80ab3660acf2c67b6ea138b7e3c2cd5ee8820be29852949d720be20a7f82bd5bf1e6829d3d7fcbc3162766f7580e0e84fc39e9c9cfa

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
144KB

MD5
bc170e2e2b097a27e30e7ec80501aec9

SHA1
2323909aa8d58c91263fbfe075238f5c8d33db8f

SHA256
44d5b18838a3447c9f43252e0bbe07de25e9cedefdd71c3312f7d9e42ae923eb

SHA512
2967fc341fe26117422f6a5ccee32638f7af0ffa769844dd12a435079b96f213a969e6c33befa5300c12f7001d3b6edb6d31d55dc8992314ce0b8c43608e5b2f

Download Submit
memory/556-204-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/556-284-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/652-94-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/728-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/728-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/792-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/792-195-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/856-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/856-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/864-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/864-186-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1336-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1336-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-150-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2016-141-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2016-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2068-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2108-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2108-211-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-238-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2120-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2156-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2400-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2400-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2468-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2468-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2608-182-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2760-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2976-156-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-218-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3144-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3208-309-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3356-289-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3404-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3568-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3604-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3604-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3640-235-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3820-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3892-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3936-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3936-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4084-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4212-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4396-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4396-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4628-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4652-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4652-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4708-139-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4712-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4792-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4792-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4796-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4828-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4828-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4956-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads