86ce61027f4ae184361cca747f8460535bcc07fb7ff518099d5892f7ae97d1ea

Analysis

max time kernel
138s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86ce61027f4ae184361cca747f8460535bcc07fb7ff518099d5892f7ae97d1ea.exe
Size

443KB
MD5

7242a3dc40b4ad6b147aea50ed96b612
SHA1

746cf8425f0fed221aacdbe2a0e8039014a7ea96
SHA256

86ce61027f4ae184361cca747f8460535bcc07fb7ff518099d5892f7ae97d1ea
SHA512

6cc45f11540f08678d37199359c92995561ddd43075301067e47b7e254f725a29add5015450a2e32d43d1bc6f324a758fc247eb783d2e670be36af99fdea7f6d
SSDEEP

6144:MYKugaqjqTb7zeXmRL13n4GAI13n4GAvs0PEpNF0pNO021fv13n4GA3uKjwszeXu:MYKiwi1J1HJ1Uj+HiPj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpacfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehjdldfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhnepfpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eckonn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dakbckbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpcpkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhajlc32.exe

Executes dropped EXE 64 IoCs

pid	Process
1196	Dpacfd32.exe
4432	Diihojkb.exe
1956	Dlgdkeje.exe
4460	Dpcpkc32.exe
2288	Dhnepfpj.exe
1848	Dpemacql.exe
4136	Dcdimopp.exe
4156	Debeijoc.exe
4196	Djnaji32.exe
2420	Dllmfd32.exe
1520	Dphifcoi.exe
4184	Dcfebonm.exe
2456	Daifnk32.exe
3148	Djpnohej.exe
4900	Dlojkddn.exe
3108	Dpjflb32.exe
4472	Dchbhn32.exe
4788	Dakbckbe.exe
4100	Efgodj32.exe
764	Ehekqe32.exe
1880	Eoocmoao.exe
2936	Eckonn32.exe
2592	Efikji32.exe
1792	Ejegjh32.exe
2716	Ehhgfdho.exe
3092	Epopgbia.exe
3940	Eoapbo32.exe
540	Ecmlcmhe.exe
3012	Eflhoigi.exe
3892	Ejgdpg32.exe
4192	Ehjdldfl.exe
2328	Eqalmafo.exe
3676	Eodlho32.exe
3888	Ecphimfb.exe
3000	Efneehef.exe
1488	Ejjqeg32.exe
2532	Elhmablc.exe
5060	Eqciba32.exe
3692	Ecbenm32.exe
4800	Ebeejijj.exe
4480	Ejlmkgkl.exe
3112	Ehonfc32.exe
2068	Emjjgbjp.exe
3704	Eoifcnid.exe
1064	Fbgbpihg.exe
1400	Ffbnph32.exe
2104	Fhajlc32.exe
4912	Fmmfmbhn.exe
4560	Fokbim32.exe
1804	Fcgoilpj.exe
2580	Ffekegon.exe
2476	Fjqgff32.exe
3436	Fmocba32.exe
5112	Fqkocpod.exe
4364	Fomonm32.exe
4272	Fbllkh32.exe
2192	Ffggkgmk.exe
3688	Fjcclf32.exe
2108	Fmapha32.exe
716	Fqmlhpla.exe
4416	Fopldmcl.exe
4736	Fckhdk32.exe
3076	Ffjdqg32.exe
3460	Fjepaecb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ejjqeg32.exe	Efneehef.exe
File opened for modification	C:\Windows\SysWOW64\Ffbnph32.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hccglh32.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Bdghlnlo.dll	Efikji32.exe
File created	C:\Windows\SysWOW64\Fihpfl32.dll	Eodlho32.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Hkcdljbo.dll	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Cniohj32.dll	Eckonn32.exe
File opened for modification	C:\Windows\SysWOW64\Eflhoigi.exe	Ecmlcmhe.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Dllmfd32.exe	Djnaji32.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Icljbg32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Icljbg32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Dpcpkc32.exe	Dlgdkeje.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fmapha32.exe
File created	C:\Windows\SysWOW64\Fijmbb32.exe	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Dllmfd32.exe	Djnaji32.exe
File created	C:\Windows\SysWOW64\Kjeebd32.dll	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Dpacfd32.exe	86ce61027f4ae184361cca747f8460535bcc07fb7ff518099d5892f7ae97d1ea.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Ibmmhdhm.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jplmmfmi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7360	7216	WerFault.exe	297

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagmapfi.dll"	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcfcpdf.dll"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpemacql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djpnohej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifqbnpb.dll"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfppi32.dll"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkfba32.dll"	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacdmi32.dll"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cichoi32.dll"	Ehhgfdho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecphimfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagaaq32.dll"	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedmgfjd.dll"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojigmkeg.dll"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaodjbe.dll"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpacfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehekqe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1196	852	86ce61027f4ae184361cca747f8460535bcc07fb7ff518099d5892f7ae97d1ea.exe	85
PID 852 wrote to memory of 1196	852	86ce61027f4ae184361cca747f8460535bcc07fb7ff518099d5892f7ae97d1ea.exe	85
PID 852 wrote to memory of 1196	852	86ce61027f4ae184361cca747f8460535bcc07fb7ff518099d5892f7ae97d1ea.exe	85
PID 1196 wrote to memory of 4432	1196	Dpacfd32.exe	86
PID 1196 wrote to memory of 4432	1196	Dpacfd32.exe	86
PID 1196 wrote to memory of 4432	1196	Dpacfd32.exe	86
PID 4432 wrote to memory of 1956	4432	Diihojkb.exe	87
PID 4432 wrote to memory of 1956	4432	Diihojkb.exe	87
PID 4432 wrote to memory of 1956	4432	Diihojkb.exe	87
PID 1956 wrote to memory of 4460	1956	Dlgdkeje.exe	88
PID 1956 wrote to memory of 4460	1956	Dlgdkeje.exe	88
PID 1956 wrote to memory of 4460	1956	Dlgdkeje.exe	88
PID 4460 wrote to memory of 2288	4460	Dpcpkc32.exe	89
PID 4460 wrote to memory of 2288	4460	Dpcpkc32.exe	89
PID 4460 wrote to memory of 2288	4460	Dpcpkc32.exe	89
PID 2288 wrote to memory of 1848	2288	Dhnepfpj.exe	90
PID 2288 wrote to memory of 1848	2288	Dhnepfpj.exe	90
PID 2288 wrote to memory of 1848	2288	Dhnepfpj.exe	90
PID 1848 wrote to memory of 4136	1848	Dpemacql.exe	91
PID 1848 wrote to memory of 4136	1848	Dpemacql.exe	91
PID 1848 wrote to memory of 4136	1848	Dpemacql.exe	91
PID 4136 wrote to memory of 4156	4136	Dcdimopp.exe	92
PID 4136 wrote to memory of 4156	4136	Dcdimopp.exe	92
PID 4136 wrote to memory of 4156	4136	Dcdimopp.exe	92
PID 4156 wrote to memory of 4196	4156	Debeijoc.exe	93
PID 4156 wrote to memory of 4196	4156	Debeijoc.exe	93
PID 4156 wrote to memory of 4196	4156	Debeijoc.exe	93
PID 4196 wrote to memory of 2420	4196	Djnaji32.exe	94
PID 4196 wrote to memory of 2420	4196	Djnaji32.exe	94
PID 4196 wrote to memory of 2420	4196	Djnaji32.exe	94
PID 2420 wrote to memory of 1520	2420	Dllmfd32.exe	95
PID 2420 wrote to memory of 1520	2420	Dllmfd32.exe	95
PID 2420 wrote to memory of 1520	2420	Dllmfd32.exe	95
PID 1520 wrote to memory of 4184	1520	Dphifcoi.exe	96
PID 1520 wrote to memory of 4184	1520	Dphifcoi.exe	96
PID 1520 wrote to memory of 4184	1520	Dphifcoi.exe	96
PID 4184 wrote to memory of 2456	4184	Dcfebonm.exe	97
PID 4184 wrote to memory of 2456	4184	Dcfebonm.exe	97
PID 4184 wrote to memory of 2456	4184	Dcfebonm.exe	97
PID 2456 wrote to memory of 3148	2456	Daifnk32.exe	98
PID 2456 wrote to memory of 3148	2456	Daifnk32.exe	98
PID 2456 wrote to memory of 3148	2456	Daifnk32.exe	98
PID 3148 wrote to memory of 4900	3148	Djpnohej.exe	99
PID 3148 wrote to memory of 4900	3148	Djpnohej.exe	99
PID 3148 wrote to memory of 4900	3148	Djpnohej.exe	99
PID 4900 wrote to memory of 3108	4900	Dlojkddn.exe	100
PID 4900 wrote to memory of 3108	4900	Dlojkddn.exe	100
PID 4900 wrote to memory of 3108	4900	Dlojkddn.exe	100
PID 3108 wrote to memory of 4472	3108	Dpjflb32.exe	101
PID 3108 wrote to memory of 4472	3108	Dpjflb32.exe	101
PID 3108 wrote to memory of 4472	3108	Dpjflb32.exe	101
PID 4472 wrote to memory of 4788	4472	Dchbhn32.exe	102
PID 4472 wrote to memory of 4788	4472	Dchbhn32.exe	102
PID 4472 wrote to memory of 4788	4472	Dchbhn32.exe	102
PID 4788 wrote to memory of 4100	4788	Dakbckbe.exe	103
PID 4788 wrote to memory of 4100	4788	Dakbckbe.exe	103
PID 4788 wrote to memory of 4100	4788	Dakbckbe.exe	103
PID 4100 wrote to memory of 764	4100	Efgodj32.exe	104
PID 4100 wrote to memory of 764	4100	Efgodj32.exe	104
PID 4100 wrote to memory of 764	4100	Efgodj32.exe	104
PID 764 wrote to memory of 1880	764	Ehekqe32.exe	105
PID 764 wrote to memory of 1880	764	Ehekqe32.exe	105
PID 764 wrote to memory of 1880	764	Ehekqe32.exe	105
PID 1880 wrote to memory of 2936	1880	Eoocmoao.exe	106

C:\Users\Admin\AppData\Local\Temp\86ce61027f4ae184361cca747f8460535bcc07fb7ff518099d5892f7ae97d1ea.exe
"C:\Users\Admin\AppData\Local\Temp\86ce61027f4ae184361cca747f8460535bcc07fb7ff518099d5892f7ae97d1ea.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\Dpacfd32.exe
  C:\Windows\system32\Dpacfd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\Diihojkb.exe
    C:\Windows\system32\Diihojkb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\SysWOW64\Dlgdkeje.exe
      C:\Windows\system32\Dlgdkeje.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        31⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3676
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        37⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        38⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        40⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        43⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        45⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        49⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        50⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        52⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        54⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        56⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        58⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        59⤵
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        63⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        66⤵
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        67⤵
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        68⤵
        Drops file in System32 directory
        
        PID:3188
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1824
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        72⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        73⤵
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:404
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        75⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        76⤵
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        77⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        78⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:628
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        80⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        82⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        83⤵
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2892
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        85⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        88⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        89⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        91⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        92⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        93⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        94⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5456
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        96⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        98⤵
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        99⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        100⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        101⤵
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        102⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        103⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        105⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        109⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        110⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        113⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        114⤵
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        116⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        117⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        118⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        119⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5608
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        121⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        123⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        124⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        127⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        128⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        129⤵
        
        PID:412
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        131⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        133⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        135⤵
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        136⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        137⤵
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        138⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5484
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        140⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:640
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        143⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        145⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        149⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        151⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6324
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        154⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        155⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        156⤵
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        157⤵
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6520
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        159⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        161⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        162⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6792
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        165⤵
        Drops file in System32 directory
        
        PID:6832
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        166⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        167⤵
        Modifies registry class
        
        PID:6920
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        168⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        169⤵
        Modifies registry class
        
        PID:7004
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        170⤵
        Drops file in System32 directory
        
        PID:7048
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        171⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        172⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6164
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        174⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6308
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6412
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        177⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        178⤵
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        179⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        180⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        182⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        183⤵
        Drops file in System32 directory
        
        PID:6944
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        184⤵
        Modifies registry class
        
        PID:6976
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        185⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        186⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        187⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        188⤵
        Drops file in System32 directory
        
        PID:6360
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        189⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        191⤵
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        192⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6940
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7064
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        195⤵
        Drops file in System32 directory
        
        PID:7128
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6280
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        197⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        198⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        199⤵
        Modifies registry class
        
        PID:6764
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        201⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7076
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        202⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        203⤵
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        204⤵
        Drops file in System32 directory
        
        PID:6864
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        205⤵
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6352
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        207⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        208⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        209⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        210⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        211⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 408
        212⤵
        Program crash
        
        PID:7360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 7216 -ip 7216
1⤵
PID:7292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
443KB

MD5
e0d7d5692cd3279a054deade53e3207a

SHA1
de870c1360e519cab7c204518e0f7b7313e94abb

SHA256
e7b8669db8747ed546dc573661543d153836b3553b7abe34f91f20e542e3aa1f

SHA512
ed3f7424b54d2cad4cc27aa0d1f2f3fc48cd3547b72a1ead757789368796220ca003b4cd4fb9098902838e85904950ca4063a042880fc724c283513c561e1597

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
443KB

MD5
af85361dc3e25091b323e662ccb01bac

SHA1
68287b45897eecd5ad3574c039833abb3d561974

SHA256
9cde8d51b5e2d82a595b4df41e1928193c124507ab43c337766d26daa7399c3e

SHA512
e1e6107404a9f521ff83a6fc1c0415bd4eef688c0a8fafde1655913ed46f9bce34d4e81d02d7654c68d75cc1de4ea06a09698b5142e7c0d63b9c793bf97f72ee

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
443KB

MD5
caa1e9c410a8004f12bce45bcac3e7d4

SHA1
3d1b22a104b1fd348f26885ed7151aebe6bd47ad

SHA256
2da8e549c616600f6b2dab65d652652a51cc9b82f153055b95123f5315d99bae

SHA512
b0315d9ad22efcfc32565138a8604ec6c8942302b03da3d4efbac8627e302199a1bf98249edf34ea18c8c73f21b471c3ab6eaa2cf8cd760c48434692d8f20418

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
443KB

MD5
107a2cb133eac2ecd57e5618d8cf6601

SHA1
64be26bf7a29fbef51930c47a7470c14eed1fe99

SHA256
20fbde58f62244ce583e8c9e0b8548662d31a09819f24d4e917b3e7298e7a2a0

SHA512
cc5e8cb8c23f6e18c96dd769aa365c9610b42da1c82c6cfd528a50875a2e496a6821a6b2bfa6d6df15e4a210238e24c82015d19b01176421acd1fc510f0c12d1

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
443KB

MD5
0fae3fb297b492162cdb6cbe2df2c07a

SHA1
b15d295164723d55376aea20db5481ebccec5c50

SHA256
c60b661efe88bda4736b18e73e702c2913f68ad292066d1986ce7b0b206e2147

SHA512
a3725f200376c2aa7b06b740c6fb9620f2c3d6ba80a5a9fdcda3a8a58df66545e7d4ee307af8c1b786c91aacfe1d966eccaeeb3088fc4b68432436d781f44b03

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
443KB

MD5
3b40527b56c755e0666631617ef2bc9a

SHA1
fe3d5ee50a5bb50ca61b4b3aefb8c9dbc8baeb06

SHA256
d8c88d05bf6afad20981c50da86caa7ba04bd5f15f53d19448abc22108680d9c

SHA512
34725a79c464bf7c810c2e16f415033e6f0cbf6558d61025305cd92e32233bd0242120d8c2b904bdbce3585505dab136f08b048cea9c96ac76a0382f0f31ec36

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
443KB

MD5
62ac5743b50f512e4f2c265ff7cbd70c

SHA1
aaf2cd0bcb4d007c558e71bb3418b743c59adc4d

SHA256
61e17499f0f7f7897ae2ee4f1083b93063c5e906e6a3e706dfed353eec7ecd0e

SHA512
38c3b17bef76377fb92c926b968fa777c8d1b6888f663cc71e0ddc3f63baf099c7c61591527f8fad05c2de00f0a24384e5d3cd5df89fc8bb788cd393cb15fcb4

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
443KB

MD5
14fa658c3316feec4aa0f62ef4ad8bea

SHA1
399beac65092d4fdc252145c0f2f795592432cf6

SHA256
3048df3734ec9eed94953bbced69d99cc100becd9f842b356865a2b5f35d2723

SHA512
503574eb1cd711da284bb1ce36ac7a7b3f79b533c1429223a66cb783259ffb96dada2f5436b5e1fc0a20b7b99ed49775a68dfb997138f0ff8b483f18f1fd70cb

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
443KB

MD5
2112fa75bfd198c6448a89bfb97996b3

SHA1
40915776286e8e8491f7350cbceb56964191a416

SHA256
a03d73e9d64051d39ab3c7cf501fb17ee4362d6c50e247df847d78ea55434aff

SHA512
6d28d48901700543444fea2a0f675cee6e51730e7bb2aef995c58fafb35476b2dd8bbb5a2cd6b81be9e17356cfd359be3829c9e320bf021aaeaea89f56beea5d

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
443KB

MD5
4ce23e73ef6cadcd419d4ef324118576

SHA1
d5e340f42fb33d2e43ee718bc77ca982a42bf1ce

SHA256
d8e9dc30af50e21c277a0084267b5e0187545d8fa735772487145e46e2bb1d8f

SHA512
e53c3468ff8460d79e6e00ba38cb6ad558507731ff6700740bbbaf64a39f57a6408e10d408a91047f815e7590731539356c1bab78ddae21caf5999e34bba7d25

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
443KB

MD5
f6653abcdbbd02363b53835f27a8254c

SHA1
bd4da72bfd27abe2aa3ddb578ee4cfbcc65bf732

SHA256
3d25e91fc172c1505c42efeb989a2e93d331d6da4724b6252bdfb3c4348f3a47

SHA512
12ff95db6656f499261fef818e6420d8ac2af8fb6fe3059879cc5956891a1d065f89e5c419eff431da289eaec959dae2bb54d17b0b42b65c02c1c290c1ef124f

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
443KB

MD5
67d234b2aaed6cd12470276a61bc131b

SHA1
4f1cd6a351bbcb91a5b5ec37d92bca75a3076fee

SHA256
8640f55e6d31f084875a76669613d05262dfa9592363ea0b2df1daeccf86dbf3

SHA512
65b4bbadb6f6f50976182de3afcdcfb7ec304ba9f441042cccba24ebdd344cc0722ba55b52bfa7813f9a6fa945e761a563fe6ca41d418c1937ae7b52e7fb0ca9

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
443KB

MD5
f3503e4960ecb059ec63489fbbaccf23

SHA1
34ce5b5c0af0b20b2ca01e7691e09f58e6829688

SHA256
87b1543846334a7740808255876e36af59885efd3a71ea0efda173968b4b31bc

SHA512
6f2e05cc77fdbbaae016a964456cc352d297757035085ddd247ad2a11789b088d878d57e793e076df80d8cf7a819694f548023307f80eb836456141b2ad90f97

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
443KB

MD5
3ce50cfb24d0d489b2cb0ffded7f8444

SHA1
ff6f240784a5e8c87ade38dac77e2ae3122f3cad

SHA256
5c5d2a79ba314aea5a263c554281c041d4734460e4045786a574082bf0968379

SHA512
ce5e91376bc65a83395d8a2776351b6570b8c3ccaa24651b2f8fb392b445dac052e5e21d699e77856f8600ce838ce450aaca1ba2e9818ee255f7ba102555b4b0

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
443KB

MD5
64d92cbc6a97ad985b83ef155613edff

SHA1
e24a7a3640ddf621deae1b00835f00ad2b6b42c8

SHA256
815feb8cb46b68b362341580ddee04467e832fa564a400a7d2ce1bfc742e6475

SHA512
4ebc8ac5e236e264fe937e1d7a4b45551325b27eabd862e46a8ce566dd2fa1fe5e9320e66e7c0fd50652312b5bb7ca94b3bf58bef8d94d57353320bbe363c5f2

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
443KB

MD5
5536bcb36302c97249816e36382cb1c6

SHA1
7d56b622ce264779010545776c791f2a1b4876f2

SHA256
49b2bd1aed4128834e2a9c32f2b1cc6adb9ef20bacaf283f8d5d3bfbdaa4d063

SHA512
91df4393845b0ad1638442eb1714410039a0a08f41eb2537c39b1d29fdad795331be61d55533c00ad39fda1ca5c4240b94d51ebc2157d4f774b4b52bfb269af3

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
443KB

MD5
3bb7b84e7a8dd04e832ad2318f088df9

SHA1
1c9b5f03881bb93cfb0eac88ef4a336a6743e14f

SHA256
0f620385097b91ce221bcc327aaf7e84fb0689eacd6c6406335fc01b9a545a14

SHA512
f5443e40444d59f04c28e39004b7389382310b17785a712b6e66dfb235b6f89cf2da9b92b0183938440074b6682bad96f9820ba992e9fd36ec50d83da4cb1184

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
443KB

MD5
8d3efa3adaccf6020b56c0e36dfffd23

SHA1
3776ed7622652a0cbc256f9edde5ac6cdfcb75c7

SHA256
e36fe9f4b6e9c8a3485439126edd4c91bb551244ed4337e3c0fc21bf4b549007

SHA512
98293f44c290bd77cdd3e55bcec22c021c2fbe64abb9d37a9a047743ea6b3831b7654c4edd2a6ea88c9dad4d9f93f8ee5e8c2bafae6f8e1eaaf5a91f9052afab

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
443KB

MD5
58a8b6d90aa5b35d9b9df12b49e539b2

SHA1
6da3a02bae61febefd7d1b233a812eacf8ee7b74

SHA256
b66d9f18b180901ce6a2d1af1b5f9fdc22a6a3dd3569d031fc188c92fd46a4c8

SHA512
7b8605234ab8931631fdc0fb662ea7b6622226b7a1428148daa5f1e3290c0fd7f30971eb049dd3a49f28b8498a6e7cba48272668002e46d2eb14e096f14b884e

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
443KB

MD5
b0f0ea8b3f71afa2bead87543911e44a

SHA1
11690012b6126c55db6a9fbe5b5d96cdcc9e9f95

SHA256
3248a7e14cf08ae39b82f4bf366d1cae04d5a29b2c5e060b2f6fe436f33c09d7

SHA512
46b4a2258b80cb897469bbde53fdc2c7bb043528570c8c8dc72e66dbf2d6b82b2391bae1fe54f95420451eb9f6869560b8f6c15f9f048f253fb93d4ba406bf5d

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
443KB

MD5
c5dc5d75767d5bf69e138d4cde172d53

SHA1
78d09122ec8b00a0dcb8169be3d1fffa1866c3e9

SHA256
5a072e2958bd0e1adce74e45277b6e8ed44e10d990a5eb49dc6fb2efd59003bf

SHA512
f3cf90e9861bad4ce1dcf6e607238dc5f30608a1bfd920d785e5e0f21b2f7410b1d3a41682191f3e023a26271cb6bb40f5c27a9af6825b256e8f6a3f4bb85287

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
443KB

MD5
d02e6e34fcd4f793ae4da73d3bbde643

SHA1
27e7e13d44f0b45d45cc7ec9115e54c5e533c5ad

SHA256
e61cf4797dfccc45cd6406bfb1cfb619b86813ce960c14dc679ffccba53f4b9e

SHA512
2595834e3a6de867b1bbda8d6da5bc8da7d64e2b256c89db366eb739466a2b986784a480ebb92bf29fefa170c76e46e36ea3200b0f90e1f632a1dbe95642cde0

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
443KB

MD5
8e4ae52a0251b32cbfda862bdf178b0f

SHA1
21cd0667ad99cbab40ba323d441ada100b957432

SHA256
132c6681a29e98bb372dff42259eca4b1e0cd5dc4b947a81dce6510e4b90de33

SHA512
8c319dee818243babdd286316e90034fca87aea3ca8410d2953dd65afc6fe9830c17b625915aff6c7bd15741ee83b4986113372830e3abc219db96fbbb47800c

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
443KB

MD5
87ff5ca1953838d438866ec2b7cbe5a6

SHA1
82913e3ccf8535f9f744494e0af00f650f412b4f

SHA256
1b0dc511994f4ef0c615469eec305838fec9f6fca020007c1932e458209ab305

SHA512
d30d84b8a648d1fae0709d6fb16df349e12a8c1fca56817ddab067114411b78f85d83d0be5a4fcb62c051694f9c8b36b265a831fd370ed6acaa3ee78b69da2ea

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
443KB

MD5
c3bc1cb322f444244db3c04711aa7dc2

SHA1
536202772f9607068917e099abc70a76dd6ab254

SHA256
11026eeb3226adcd23bb5b63104695b89f6265d82747a4e894322caf4c47e468

SHA512
e8b14e041e48fa4e9eebef4b702b31d895000d649483b80b1e19edca3cbb7308cd5a866a28f7a494114ca62b9727e90aa3c29b9e932fef4a8edd712c4d3ee5d7

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
443KB

MD5
c77213b29f0e06ca84af9f64749b4a6d

SHA1
da935a1b350496d3b16f211510d5d4178f9d216b

SHA256
8cc8ba6adaa0dfefad2e30c6397f2c4df67f40b039b3a59fb56faa036918fbac

SHA512
01a7bb5a9c1ee9502b55e618b4c8faf4282679ac95baf0c5918d8f4d3447d9113ec30884ee16c18ee4ac461ded22bd57c8564e208b5c84a1553f8381f8e22a13

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
443KB

MD5
c35c34313ce85edb97431307b9a4cf1f

SHA1
f41a11cbd5bc3849d92a9a022a72b0a33217d868

SHA256
1f54932122dc1bee69eeaa842c2094026139744ba003ad466f14859cb38cb293

SHA512
97da7cea4a37145f83fc568780af48bb723385299a07c7e58797f17a3f8630c5adf771e5148ddfacfa4f40fcafe7ffced1145d9e4a6ab7a987f8a4c88edfe5aa

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
443KB

MD5
46eca1ce99e5f741bffc11371120b6b6

SHA1
d082feb8ff3ef5e3c78badfd2cdef469216216f6

SHA256
fe9e2dd010ac162e6249cb8c3ab1ae714b94ca15643740d35113f435a9a5c5d5

SHA512
bad8f14cc5d4a9873a498ad9352b777b400903759cf8b0b9cfc3619c9f0dfb205d39679296e99d93b9559670aa61e1e1e9e8e8c0c1c096341606a0a814b1eed5

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
443KB

MD5
519335cc6a4c57b124fee90e5ad7b1a8

SHA1
4034388f13c123ca0e90761cb000b69ee9be53a5

SHA256
e1e871ddbbf3113922dbe12bef63aa6fcf738de330e20ac1bbbf38b0ca80e949

SHA512
229c6eb21a6b908e53f066f6cbfcb66dcb79f039b4840ecf93bccac6b64882e3d899a0807bdb184b83c209b6bdb3f40b8ab88c55138b6a6457f188bfba1530b6

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
443KB

MD5
019f9ffec0125e4b26060eab1146362f

SHA1
fc1d1978a1f1d79935a473f13f537871b39d214b

SHA256
8554b24e8b8a3a68161318f4bbfd24a9399ee63e5a9b2da97dbfa5cdba020341

SHA512
7ca39e618662ef28db7623c441d6fcc1a843944b918b5d2ffce438de9e47b867580827b9aabf714ed7bfb79ac9b6c57650d9dbb4f9c711fe6fce0cf4c249a3ae

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
443KB

MD5
2ac85737b4ecccfbdeba35b4b678299a

SHA1
e7b943b74e0b31999e8dab8c15b9629b8301090f

SHA256
976ba80d7100a36b901fd0e6bdbdf46992be8cb9db2a109d80049690d95f7c58

SHA512
4276547c70d6a366ed04333ad67e5c0f9abf86dbc486eabfddfbf6e857b1aa40e0563f0dd265a366d8ba1d1c6115dac201ce80adfc0d9b0866f25b19dbbbff89

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
443KB

MD5
39171907fbe72aabb4748a34f30f01ef

SHA1
f6dd09d6b9ec8853e7f925638a68120aaf72b1b4

SHA256
1f0e1d7737695e56839fe964d841acaca215081f205c56b29a17480f459033d3

SHA512
903c80041db733640a3c46b4a2cb20bb0105116f8250ee8e5ea5b462595387254bae519f13fb7be4b0d54ffb285d7c08a147f658312b5abc6feae10df8ae2f85

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
443KB

MD5
ca0d3d9e56a1136021dd3ef601463440

SHA1
ca9d37c771e02e9fae3ba4b5bc90c6f751af3836

SHA256
86f5632727e27029d330fb42b196f45946725f70bbc4b20d4482ce46b3c81a18

SHA512
23684fa81d8b624f26d58e2f30baf8468eae9a398ac45a10aad409cc0641672aba77c431ec8ad81e52ab361a3be4d6eb43cb0c9fe9619e08eb43f85c25e8a20e

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
443KB

MD5
f1b7a84db0c83cfa947c4add0251fafb

SHA1
0bb09046ab03be0230cbbabf6ced51ddfc2e23b9

SHA256
7caed3165135f99ae646276d81d4e9938f06cc46289099308824605937356627

SHA512
9f9a239e0a9eaeae51b7083d77ec113f1eda743ab281409920efed146cf7188cc6a4e9706a1bfa3910000f72b4d8b2df906c35a1bb5b712860cfef098de0c6fb

Download Submit
C:\Windows\SysWOW64\Hpbaqj32.exe

Filesize
443KB

MD5
28616d75347746805c405c33b40645c4

SHA1
997ac0fababc423bad12ca48ce02f75eda332b0a

SHA256
adbf6c2a53914ed0d924116c33a20b59bfb6928affbf9eaa9010bc30d7c89ae1

SHA512
7975c642949c15e0fd58571789e73c2796cdf927d564ecae23f174fb7926673f69d75a174fbd431135ece3c685c1409b0daa4f7db6c4da43425892afa471bdd5

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
443KB

MD5
ab85c40033e4973c180592b5ba546889

SHA1
f19f390b509b9426f57b028ca461c64470fe7019

SHA256
4e67481c669e073af7c29eea85914750828326bce522cdd9147f3e6d669a11e4

SHA512
41cebada1b2ecf50fc594fc00126206120ff539420063dac39f4874465948854f87e3d95116bc8fcd24b2aa794a8939c56a15c90efc236714f205d0cef07991e

Download Submit
C:\Windows\SysWOW64\Iidipnal.exe

Filesize
443KB

MD5
f8b486d130d279dd564b5989f772456a

SHA1
3c516d3a3ebebd8fb3b66ea45fb3b4087c509e35

SHA256
557317ca67192478cf05e22ccb08f0c0067f0b5283367559e1386d167e7cd450

SHA512
faa34653033d262635f738eb0c6d57626751ffde517b3d7b0c6ddba2cea8bfed046b3a2abba5e7247b2d4a382cf99c310b83fab9d3cc1c8bb1c03b55546404bf

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
443KB

MD5
42655b0eaa02c92b461dc333c442523a

SHA1
b2b9cdf63dbfd5077af28294e42dce10317e413e

SHA256
4b70e0f460d8ffb839cbfae1322a12f9f2ef8c4a3cf0272597dc30893a05ad06

SHA512
a4a23a126b64e8b048728d77d6a1813c63ba48c74e97cb2c2642fbf92b28417ebdd45869544c31dde87c6b187ee0fb79166723f9dc78150fc4245df5e332ac2f

Download Submit
memory/404-514-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/540-425-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/716-490-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/764-404-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/852-5-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/852-522-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/852-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1064-457-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1196-8-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1204-512-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1400-458-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1488-439-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1492-515-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1520-385-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1792-412-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1804-470-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1848-65-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1880-407-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1956-26-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2288-41-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2328-432-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2420-381-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2456-391-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2532-441-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2536-506-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2592-411-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2716-417-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2892-539-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3092-419-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3096-550-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3108-395-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3112-450-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3148-392-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3200-507-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3432-496-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3536-500-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3688-489-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3692-442-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3704-455-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3888-434-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3892-427-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3940-421-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4100-403-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4136-56-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4156-70-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4184-386-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4196-498-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4272-487-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4348-516-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4364-482-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4416-495-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4432-17-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4460-33-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4472-396-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4480-449-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4592-556-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4736-499-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4788-402-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4800-447-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4840-523-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4900-394-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4912-464-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5112-476-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5196-572-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads