e6610e81d1868631f0fb109395479664e8b8f85e068daba13e518535afcc4a56

Analysis

max time kernel
147s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6610e81d1868631f0fb109395479664e8b8f85e068daba13e518535afcc4a56.exe
Size

109KB
MD5

e231cf61e552180c0437d9494192e46e
SHA1

20294b45f0ca99b1e673d84c6fbcf3bc08db9abc
SHA256

e6610e81d1868631f0fb109395479664e8b8f85e068daba13e518535afcc4a56
SHA512

ca1b72686ca5edd5b4b18cc9b1071a4c6e19c16401f2089d1b803b8cd4c02cb459e8623c0dc132d6afa1d4a175e609e5853e560860e8479ce18bbbbf3226a5ac
SSDEEP

3072:OIBvz03i1Es3txS99XvF30hDMJ91LCqwzBu1DjHLMVDqqkSp:O0wi1n8J9Fwtu1DjrFqh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchiaqjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dabpnlkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpljkdig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clqnjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camfbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epopgbia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhjkdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpjmee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dagiil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efgodj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe

Executes dropped EXE 64 IoCs

pid	Process
2632	Cpjmee32.exe
5088	Cchiaqjm.exe
3300	Cakjmm32.exe
976	Chebighd.exe
4120	Clqnjf32.exe
2568	Cpljkdig.exe
5104	Coojfa32.exe
3168	Camfbm32.exe
4380	Ceibclgn.exe
2432	Chgoogfa.exe
4608	Cpofpdgd.exe
2112	Coagla32.exe
2312	Capchmmb.exe
2752	Dhjkdg32.exe
932	Dabpnlkp.exe
3648	Diihojkb.exe
4252	Dhlhjf32.exe
1316	Dofpgqji.exe
1676	Dcalgo32.exe
2812	Dephckaf.exe
5048	Dljqpd32.exe
3344	Dohmlp32.exe
4448	Dagiil32.exe
952	Djnaji32.exe
3488	Dllmfd32.exe
4560	Dokjbp32.exe
468	Dfdbojmq.exe
3820	Dlojkddn.exe
3460	Dpjflb32.exe
3828	Domfgpca.exe
3104	Efgodj32.exe
4552	Elagacbk.exe
2592	Ejegjh32.exe
1004	Epopgbia.exe
2016	Eoapbo32.exe
4076	Eflhoigi.exe
2616	Ehjdldfl.exe
3644	Eleplc32.exe
1376	Eqalmafo.exe
4788	Efneehef.exe
532	Eqciba32.exe
980	Ecbenm32.exe
1332	Efpajh32.exe
4300	Eqfeha32.exe
3400	Ffbnph32.exe
1788	Fjnjqfij.exe
3164	Ffekegon.exe
2064	Ficgacna.exe
528	Fcikolnh.exe
2260	Fbllkh32.exe
208	Fifdgblo.exe
4736	Fmapha32.exe
4792	Fckhdk32.exe
724	Ffjdqg32.exe
3948	Fqohnp32.exe
1544	Fcnejk32.exe
1776	Fflaff32.exe
4436	Fjhmgeao.exe
4912	Fmficqpc.exe
3468	Fodeolof.exe
3364	Gfnnlffc.exe
2308	Gmhfhp32.exe
592	Gqdbiofi.exe
4508	Gcbnejem.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mhollf32.dll	Dllmfd32.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Gkebcqkl.dll	Cchiaqjm.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Ficgacna.exe	Ffekegon.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Jdhine32.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Qjebnamp.dll	Ehjdldfl.exe
File opened for modification	C:\Windows\SysWOW64\Gameonno.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nphlemjl.dll	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Ffekegon.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Domfgpca.exe	Dpjflb32.exe
File opened for modification	C:\Windows\SysWOW64\Dpjflb32.exe	Dlojkddn.exe
File created	C:\Windows\SysWOW64\Mcplce32.dll	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Aodldljj.dll	Cpjmee32.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Eqalmafo.exe	Eleplc32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Fifdgblo.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Bdhngp32.dll	Dohmlp32.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gfnnlffc.exe
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ffekegon.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Fifdgblo.exe	Fbllkh32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Eqciba32.exe	Efneehef.exe
File opened for modification	C:\Windows\SysWOW64\Gqdbiofi.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Epopgbia.exe	Ejegjh32.exe
File created	C:\Windows\SysWOW64\Eqalmafo.exe	Eleplc32.exe
File created	C:\Windows\SysWOW64\Fflaff32.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Camfbm32.exe	Coojfa32.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jbocea32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6348	7136	WerFault.exe	271

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihicplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dagiil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eagncfoj.dll"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Capchmmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e6610e81d1868631f0fb109395479664e8b8f85e068daba13e518535afcc4a56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cichoi32.dll"	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icnmgkke.dll"	Capchmmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokakckp.dll"	Diihojkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epopgbia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ginahd32.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cakjmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dephckaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkfkfohj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 2632	4480	e6610e81d1868631f0fb109395479664e8b8f85e068daba13e518535afcc4a56.exe	85
PID 4480 wrote to memory of 2632	4480	e6610e81d1868631f0fb109395479664e8b8f85e068daba13e518535afcc4a56.exe	85
PID 4480 wrote to memory of 2632	4480	e6610e81d1868631f0fb109395479664e8b8f85e068daba13e518535afcc4a56.exe	85
PID 2632 wrote to memory of 5088	2632	Cpjmee32.exe	86
PID 2632 wrote to memory of 5088	2632	Cpjmee32.exe	86
PID 2632 wrote to memory of 5088	2632	Cpjmee32.exe	86
PID 5088 wrote to memory of 3300	5088	Cchiaqjm.exe	87
PID 5088 wrote to memory of 3300	5088	Cchiaqjm.exe	87
PID 5088 wrote to memory of 3300	5088	Cchiaqjm.exe	87
PID 3300 wrote to memory of 976	3300	Cakjmm32.exe	88
PID 3300 wrote to memory of 976	3300	Cakjmm32.exe	88
PID 3300 wrote to memory of 976	3300	Cakjmm32.exe	88
PID 976 wrote to memory of 4120	976	Chebighd.exe	89
PID 976 wrote to memory of 4120	976	Chebighd.exe	89
PID 976 wrote to memory of 4120	976	Chebighd.exe	89
PID 4120 wrote to memory of 2568	4120	Clqnjf32.exe	90
PID 4120 wrote to memory of 2568	4120	Clqnjf32.exe	90
PID 4120 wrote to memory of 2568	4120	Clqnjf32.exe	90
PID 2568 wrote to memory of 5104	2568	Cpljkdig.exe	91
PID 2568 wrote to memory of 5104	2568	Cpljkdig.exe	91
PID 2568 wrote to memory of 5104	2568	Cpljkdig.exe	91
PID 5104 wrote to memory of 3168	5104	Coojfa32.exe	92
PID 5104 wrote to memory of 3168	5104	Coojfa32.exe	92
PID 5104 wrote to memory of 3168	5104	Coojfa32.exe	92
PID 3168 wrote to memory of 4380	3168	Camfbm32.exe	93
PID 3168 wrote to memory of 4380	3168	Camfbm32.exe	93
PID 3168 wrote to memory of 4380	3168	Camfbm32.exe	93
PID 4380 wrote to memory of 2432	4380	Ceibclgn.exe	94
PID 4380 wrote to memory of 2432	4380	Ceibclgn.exe	94
PID 4380 wrote to memory of 2432	4380	Ceibclgn.exe	94
PID 2432 wrote to memory of 4608	2432	Chgoogfa.exe	95
PID 2432 wrote to memory of 4608	2432	Chgoogfa.exe	95
PID 2432 wrote to memory of 4608	2432	Chgoogfa.exe	95
PID 4608 wrote to memory of 2112	4608	Cpofpdgd.exe	96
PID 4608 wrote to memory of 2112	4608	Cpofpdgd.exe	96
PID 4608 wrote to memory of 2112	4608	Cpofpdgd.exe	96
PID 2112 wrote to memory of 2312	2112	Coagla32.exe	97
PID 2112 wrote to memory of 2312	2112	Coagla32.exe	97
PID 2112 wrote to memory of 2312	2112	Coagla32.exe	97
PID 2312 wrote to memory of 2752	2312	Capchmmb.exe	98
PID 2312 wrote to memory of 2752	2312	Capchmmb.exe	98
PID 2312 wrote to memory of 2752	2312	Capchmmb.exe	98
PID 2752 wrote to memory of 932	2752	Dhjkdg32.exe	99
PID 2752 wrote to memory of 932	2752	Dhjkdg32.exe	99
PID 2752 wrote to memory of 932	2752	Dhjkdg32.exe	99
PID 932 wrote to memory of 3648	932	Dabpnlkp.exe	100
PID 932 wrote to memory of 3648	932	Dabpnlkp.exe	100
PID 932 wrote to memory of 3648	932	Dabpnlkp.exe	100
PID 3648 wrote to memory of 4252	3648	Diihojkb.exe	101
PID 3648 wrote to memory of 4252	3648	Diihojkb.exe	101
PID 3648 wrote to memory of 4252	3648	Diihojkb.exe	101
PID 4252 wrote to memory of 1316	4252	Dhlhjf32.exe	102
PID 4252 wrote to memory of 1316	4252	Dhlhjf32.exe	102
PID 4252 wrote to memory of 1316	4252	Dhlhjf32.exe	102
PID 1316 wrote to memory of 1676	1316	Dofpgqji.exe	103
PID 1316 wrote to memory of 1676	1316	Dofpgqji.exe	103
PID 1316 wrote to memory of 1676	1316	Dofpgqji.exe	103
PID 1676 wrote to memory of 2812	1676	Dcalgo32.exe	104
PID 1676 wrote to memory of 2812	1676	Dcalgo32.exe	104
PID 1676 wrote to memory of 2812	1676	Dcalgo32.exe	104
PID 2812 wrote to memory of 5048	2812	Dephckaf.exe	105
PID 2812 wrote to memory of 5048	2812	Dephckaf.exe	105
PID 2812 wrote to memory of 5048	2812	Dephckaf.exe	105
PID 5048 wrote to memory of 3344	5048	Dljqpd32.exe	106

C:\Users\Admin\AppData\Local\Temp\e6610e81d1868631f0fb109395479664e8b8f85e068daba13e518535afcc4a56.exe
"C:\Users\Admin\AppData\Local\Temp\e6610e81d1868631f0fb109395479664e8b8f85e068daba13e518535afcc4a56.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\Cpjmee32.exe
  C:\Windows\system32\Cpjmee32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\Cchiaqjm.exe
    C:\Windows\system32\Cchiaqjm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\SysWOW64\Cakjmm32.exe
      C:\Windows\system32\Cakjmm32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3300
    - - C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:976
      - C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3344
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        25⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        27⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        28⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3820
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        33⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        36⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3644
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4788
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:980
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1332
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        46⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        49⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        50⤵
        Executes dropped EXE
        
        PID:528
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2260
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        52⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        53⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        56⤵
        Executes dropped EXE
        
        PID:3948
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        58⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4436
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        60⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        65⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        66⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        67⤵
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        68⤵
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        69⤵
        
        PID:900
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        70⤵
        Drops file in System32 directory
        
        PID:1220
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3504
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3936
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        76⤵
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        77⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        78⤵
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        79⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        80⤵
        
        PID:728
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        81⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2548
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        83⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        85⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        89⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        90⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        91⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        93⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        95⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        99⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        102⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        104⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        108⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        112⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        114⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        116⤵
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        117⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        118⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        119⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        120⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        123⤵
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        124⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        125⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        126⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        127⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        128⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        129⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6100
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5644
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        132⤵
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        133⤵
        Drops file in System32 directory
        
        PID:6220
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6264
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        136⤵
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6400
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        138⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        139⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6576
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        142⤵
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        143⤵
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        146⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        147⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6880
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        149⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6972
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        151⤵
        Drops file in System32 directory
        
        PID:7012
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        152⤵
        Drops file in System32 directory
        
        PID:7056
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7100
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7144
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6168
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        156⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        157⤵
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        158⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6436
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        160⤵
        Modifies registry class
        
        PID:6540
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        161⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        162⤵
        Modifies registry class
        
        PID:6652
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        164⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6868
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        166⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7020
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        168⤵
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        169⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        170⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6424
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        176⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7000
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        178⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7136 -s 420
        179⤵
        Program crash
        
        PID:6348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 7136 -ip 7136
1⤵
PID:6212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaokiafg.dll

Filesize
7KB

MD5
77cd3c0da63a0276cfac689149abf7ee

SHA1
be2e6209e799a37c60ab84847229e42e9850eb36

SHA256
d2738372651ceb21a489df5d4672457dce77c20f031b6416aedf110cbc9cf289

SHA512
f69cde176a69f54114e6123cb410fd3ae7d067eb2644077a77d0db63e415d3df273ee7d687bd993e128157fae19e41e90914415859b4b595684e5ff99e020b9c

Download Submit
C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
109KB

MD5
f544e47440c1623fb1ca9ef4616fc5d7

SHA1
ae849cd6279e39676c9dba16f770c1fc6cd54136

SHA256
e04126f7d10a860c46e52696b53ca24978c92d3d4d2453bb88a18b4a0eddc27b

SHA512
9daf0325683a0bc4f633fe5255cb77ecbc14e232645f9b74789bf56c935a972c97f7f4eda731ad0e2bc8d6ddfd0ab844167d8f720616a099e0f2e5ea9ac72a71

Download Submit
C:\Windows\SysWOW64\Camfbm32.exe

Filesize
109KB

MD5
ad568d0589652d46ab41df463e89a427

SHA1
6b252ce05241faac75cf33a6907a5eaff2874ba2

SHA256
7ec7f9de67f6275a2d5210b029d2717e76e9ec6423beb538adfdabe6211b3475

SHA512
ca768684087e48202513237df0975d1a05945b27011b4bed874b4911a3996c98777b3371ef1d84ee6c553f0f5d7e63a92956b9eaa5d60642304b34065ea199a3

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
109KB

MD5
81e27f284b7d8feacc9ff540fc60644b

SHA1
29b6955180f5e17424ba04424778222df9341482

SHA256
e9617bc58586a510732c792e08c9573ccd864cfac2a9d09034fd9f3134ad5700

SHA512
ff92503e5617f2a769a550894c06efa594a16605df32a6e07277fc576a21fec79dbcea4ba5f62fbd6662ad2dd805c2c36eb9bc7d7dd476be792079bee6267295

Download Submit
C:\Windows\SysWOW64\Cchiaqjm.exe

Filesize
109KB

MD5
4dd852cba685b2dece2c89172513ebf2

SHA1
9c1587061cb1e9184c5f2d5e7e89465bd65f1cf0

SHA256
b6a3734161a2413f846b9ded49c6fe8db119d678f2a6e599a935f3bac4bd794d

SHA512
9bf4d366358034ac506fb85a32ecaacae35c50f6932c12f61ba5f9c9018a54d01c12313b38d8486da3f9bfc3576ab2591662271bd987212abbcd5762ed70853a

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
109KB

MD5
3c1b0f6be9b8a4c6e398b9785451af88

SHA1
304b57a67a792047278d27dd45bc5803f46a1840

SHA256
52b540712600a8fab33f034380c7fd8921ff03870fc8540db8c5b191128fa7f3

SHA512
cb4fc15232e74903c33846e0d5b40352327a77d9c502223f92805e2e56fb93e2b929bc31f2fd2f722c73ffe23234342ff25ed5130a05af2f99a98625247c0bae

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
109KB

MD5
ef99235da385e488c084871b92fc7034

SHA1
bda84cbc04f041bbe784e63cb2b6c3b561e4467c

SHA256
c543fd93029b3e2d5adf5a67f010826b1875c20d7a523d612f303173f607d54c

SHA512
8488c017ed9ee31c2b1837d0f09a180f1c198fd2a628834de0428005e6dabd1b000700b7cb4efe8c807b5754941f9b6721eb54ca0687271c8ff291aff0ed0fbc

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
109KB

MD5
e157d4bd32a4c36d77b2f9ca10ad3802

SHA1
b9198fc12ddd721e24b26b8eb7ac4e0be4fc0d86

SHA256
1896b23e2c95a45d0b96b3ea29e960f63500dd95adb9c1d0915488699cabae8d

SHA512
1181d4008bb609e65000d1babbcf691142fc99edc59fe98d5669be5effa556cea68466ebfdf0c70023ba75198b37747aa9c5e6714c8302db3d549ae692538485

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
109KB

MD5
bda19241a5325aeaa83323034d7bd935

SHA1
a8ae5ffff0d379b5f7522ca0dca33647d5b6d3f4

SHA256
d054cfc7c28c6b8f93cbbe2390a2a47a54ff79519d9efeafc1460e33e282d45f

SHA512
5690bd025032162304bc6c5d2cc9256d9f1181c47f6f68bfbecffaf1dc6f2a6bf4476350aa89c0ec1f6ec21e02feaa2705a97cc8e89e1853db26796fe838d122

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
109KB

MD5
02b8cdcb36fb4530ac04c3d2e2d9307f

SHA1
136b681a468eab05d37ac90cf020e33597586b6e

SHA256
a81d855d5efd51ec56f705e2487631f5e6039de8c3fe8b6e0f093d625652e848

SHA512
e735ca7f535877c2c0af7bca085463b582b205216e25d59c054bb9b2498024a7f1e72dd96aff3d218548dc0f1c9e963e380297af7ce47ffb1f846bc2ab0f2d87

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
109KB

MD5
3597cc97ca4171f7a01b1c99a5005234

SHA1
b1538089170e1943a92be6026b89798eb779d5e3

SHA256
89228c8bf1798dc8a2eb1101355ca22ba42e98dff42ec1dea3ab2ae925ad25c0

SHA512
1423a500badf0191307cbce69e3b561dccb58ea7e47f6013364720fea092af482ca49643b4c26e557561049e8413ce0ffaff49fc8965a1819265a607f7fadee3

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
109KB

MD5
39cb6089803ae18cdc7391ed377f1fec

SHA1
7cbc92708da9b846ada040bc1c4e4600a2666253

SHA256
cfddfce59165fa796c6d04328e2288c777afb79c0d949a49791091858ca189df

SHA512
62f9f63dbb5c75c4b25407ed44dd84ef37dd00ce075dd87ef5e9b5053cbfb7ca1bb56506b6259921d3a0a20eb4f3a76683a32f7325ab1c08cabf820b99f9195a

Download Submit
C:\Windows\SysWOW64\Cpljkdig.exe

Filesize
109KB

MD5
b65691b64c86e585ff4c5b13721bc057

SHA1
050119d25ecf481d7f1335f3521f0a1e9a61ffa5

SHA256
bbf7c18d8d086c7e6a06ae179b7dce0a8c1e5516bee984bfd784e5c22024bd11

SHA512
1aa9f5bf0682859f44262bd92a8c60f6eb8a030265f9dd2c7b4ef56f3ca6170e303b4b9db9fe62e08ab50bb226551fa30b75a5722ffc792a99bea2965c26b21a

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
109KB

MD5
b5bb7bae3c2d4b19dfaa2383c258c8ad

SHA1
7eeb0ccb47a1db136aa3e10ff66d18e90e202a9e

SHA256
b51e1ab901cc6fa905ea3d412122edcc2a7ba286aac46733a9c15e4f51b4b6bd

SHA512
d487935ee32c71d20c88762b345908662a2947be09adf68a68ae334d0c9ca27bb495fabc4e2ef11b97fc86d066a7d07c9e9067d45cb406e45e6d736ffd921ed2

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
109KB

MD5
de7524f929b18c64e11d1d0fd26a224d

SHA1
58230be84469c51672dfe4be2ef51de13d5ab5c5

SHA256
8973d2137fa7b2eb7777943d0eeeb8f3639d9801d1e9f401eb69e098e1dc5ed3

SHA512
83cf5f560f10ae76254d7ed808da61bd1aa62fc98f728dffc898287f912a5383fa1b165e5c09e85c342c99425aab03a287cbe1ec0a25088abc33f767a3508d10

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
109KB

MD5
39f02c9e7178424a10b8535f319936b4

SHA1
6eeda791025f02f29b48f907399e0f42869b7bfe

SHA256
40b01003a109b0ee689a7fb1012a27ebb4cc9a962cc85d4e5b4ac722a278a5a0

SHA512
c729e8829cee681264cda93e375384626ad811f9ad8795e35a894a54b316d415a0210477a454882f519f3e7aa7ca63897a97704e1ff839b855a3b9312794ca65

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
109KB

MD5
b6eb6d0979cd70dddf0a5501eebd7c35

SHA1
8da3ec468ad54c69643b9dbb2e3ad40798a368fb

SHA256
a9fd64826577167c461d99f63bd1968340dfe7ec3fe7a87c78eb47c38c1d8216

SHA512
b604832360b58d3d8d8a557c9a64e2ca0b17afa84825f0c576f01d2a866f8e56aa3bbe8df8da8156066725fb82aae4d1e094a67a9609fe120665c6e8a3f57727

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
109KB

MD5
7a5bea4b120a28431420c03a12fe3c61

SHA1
04fbf3c4a6d2091fa818753014721a4f36d77837

SHA256
4283ed2d4c08afa9d65d86036de1411b86b7fdd53a20973318fd9789007e2b5c

SHA512
ac6b161c4bfdaeca7c52b46d5f39e995eed30705d6a6fbd40ec1aed8d4ccaeabc529f8ff42733cce9bb27d8f9a9a27971e857cb4ab34286cd16c6df9591cb47c

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
109KB

MD5
2e58851a997bd078e4a156a21273964b

SHA1
41b5bd6854a6ccdaf4b978fc3283c7f7c44dd897

SHA256
4a87ca6e53f4b1abd35b3dc73c498a53e0732ad3bab884adf66e2689743ac945

SHA512
b976f7428afa89f4a0215b3a7bedfd2204959bd1f684c9466c1b703615b8cb8534e0edcbdb02653f16646a4d88557c691ea9e1fec58f02bbfd9db1687f5acc67

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
109KB

MD5
fed3822c7c3033ed83b35182b1022eb9

SHA1
fb5550954508d4bdf76fb16c6d06ac77466e6acb

SHA256
d311969a0558ccfab69902ce0930472a3adf3f365800e4fd6840646cc8d63a5c

SHA512
e31552ed5c475c860d24ff6daa480d6c40a0b2e6e1bff2117844d6706a8479c9fbca996984577db328c46e54b096348852f7ef670501c0cba3b62a56fdbbfc16

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
109KB

MD5
e31a87cd9e33038b9ac39ceca0f4c078

SHA1
eee4ac758d3eb2972acdbe7a8019149b197ed27b

SHA256
651f4c4b1c754081fac1f6bcc1767312bfcb2469523b3ee79d7db39ea0755c2f

SHA512
9512b0fa507751b773f2105c1e31b150072347391bca2f1762526467e35bc61f168efed244f01e110ac8575d1d4970119fb6809abc115a9e40d338c57a10e395

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
109KB

MD5
d5374adb38557746a7728d2194a7891a

SHA1
4e3952f93701ee1c5fd53bb17c81bb11dcec81eb

SHA256
dba0162577046e8de5d9691b549a0cee0b63590777f1a901422fcbfee0450f75

SHA512
4c66d4019dbf9b9124a9af574e0a42391fbd02362d9acfb25b8d478cfab2c599707e12973f7058bc43eb76c5d940a8f4f1141f5457f6e19813caaa152dd9a0b6

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
109KB

MD5
1b7db1ef1c0d034cb67fa77ba01b919e

SHA1
d1412cc035edb9f95f43e008c8a457af21bfb28f

SHA256
52988b9e35fc45e2fd5007a54d5b37b6f2d8d70c306955360a03c8db63031ace

SHA512
029f14b2909fb3caa8a7666ed1a5c55ea8236e18731b6cd445231f5635fb3f3ab6b95642edb749d97ee567340cfc9c9cdb917327fcfebb0b334b2a8ef64e8bda

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
109KB

MD5
a2d338440c4172b7559fba2513d9e83b

SHA1
6e70b7edd99a3a637379a3f868603f4b8d8b79fa

SHA256
a2fc1a7e4d3556011e9981c5240e8711f7269b5237a1441025b22d43044c25c0

SHA512
33d4602bf96bcfc40972df709bb505860ff607394eab12d26ec14498596e49a609790c0908303787b1baccdb8ee399a54043b202fd7ffc2e7f21a42176536a9d

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
109KB

MD5
5d5cdb3125d186f53bc12d2c02d10274

SHA1
ede06abd851592218eb4042613bd4f928236590f

SHA256
7ddace08ae75b7c1c3d42e58819a0f7cc920be5ec88ae44ed9d324ce0bc47e79

SHA512
124f88671193d171c9e3fb273a78842fa5c7451ad8108b1d93289624a7f8c9e572b719f91391044f2628de451b672323b4e6cea910ec84c5741f40eaac3ebb3c

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
109KB

MD5
49b85b5dcae748990cfa273554a57f41

SHA1
a599db8e99a3ee723bcd946f6db1ef9226747a7c

SHA256
cbc9f6f3803e7243d21ce224745c783b9266cbea5da1973bfc5029d3008ea9ab

SHA512
4fab1748736adbcc98413b6144017f44a229c1c7864b34be943c29fbf032cac1ce54a201fd6339936b35d39dd00c8f7d294be0817556037b48e84e4d1d1adb90

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
109KB

MD5
6fd6c60e1f1437b233affaee650541a1

SHA1
852a90026bb4ff977604936020c0f97e5ae67377

SHA256
92018701e2bd71a5b3ef6844b9b662e14c420e3f4148534df09bc2036b6d0f76

SHA512
b1e01dac714d9807f23924cf073334c1be371ca869307e52b0b26757f2c85923837bb8d52470d09b38718248865154bba459bd6c94a8f32d67291687dfbfba78

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
109KB

MD5
725064c93570c62bb4f57c6b0416da63

SHA1
efe501ecaf0da8f07bbf0f9d257502db7d0bb035

SHA256
14622500d0c6f9027aba684fabba54a610886744e116bcd5041a68d73227b581

SHA512
7942f7053b344f3dbdd1f53a3e91f17c5762a3bc4d23a5722e19250632b4761864b3852900b60bb4fb2f9648b3958499b46c9d30d83b20d3207348c3deccee9a

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
109KB

MD5
55c9685096715aad9edb452840f87e73

SHA1
07098adf725a87610c711866c06e2a140d14bfdc

SHA256
9fcd9c125352c966c9e1846f2bb6630a27f69aa9439222166c2d3a48b2f92698

SHA512
f1b91423e561ba1b9a14029809224eb6a9a41e6f329d19323949eb643dd56892260e847c2f3a6c203346684ece1293d51df73777856bd267bafc7e8d03b58f41

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
109KB

MD5
9c881808f49eb6e38dfc74fa429132fc

SHA1
e6996d17e15c6eb853e8fcf8d522f466715bbd4c

SHA256
5be415dcb184d78db6c17ce1e28a7176b330e9914d4b6113d4b2ac1b09d7675a

SHA512
09f6567a9fce4b37344de5c71865bf08430cd19c58e94166432e4d4801d613bfe7fc49039ca96dabe68973c3ed23f4009e8cb85ed8d357cfbfe7450d4c823994

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
109KB

MD5
097ebb48a2d524e5a30c28e30653ae21

SHA1
de13854e725ef59abedc73e80869718c6f3c174a

SHA256
a488d59acc691ff5fc3c926927bfe9f3c19e80d55ca273a51ce70b9cf2218f81

SHA512
3b48570bc8e600aaa4e141354df1e43f1e072b754ace6bea4d5c7a13d99034014b9683eec4a208be86a77b27119be8eb0a349b7039cca38e2fea6ee4ff32528e

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
109KB

MD5
212420bee10ded8e5971a7c13ce195c9

SHA1
3b43341fc1fbce3d123072229c1157ca2948213f

SHA256
b4259b597e0ba344cf8b7b757b37056e480e4adec9288a92e4673593109f5038

SHA512
b0a2742c7b0ae71b9ec297ffcddd971626c0bf33999769af548d07fc5543f23cace54d3e3047f0d4f1520b16b251e03f1c80f7ba46d182035ce786af2cec29aa

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
109KB

MD5
f018311f2b2f109bfbe3cb15becc8917

SHA1
86883a748389e246d634b4e21a01a3b4f4e32418

SHA256
7752aca28de535c286eb6273167ca7c13ea02c1bb8cfb8054bf985b0391d3a46

SHA512
11ba0dd46905e03c0d2db830443c96635dd4bc65e71862d4545eed108dc041e50105ded8ab5de4d175cfa0069fad6a81d627fbdd3b8d03ca452fde42ca97074e

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
109KB

MD5
2bb85991fb1c79c2a3cc25329d6f192c

SHA1
a1b508eb69684e64a2888595e1285a3739e0a6f8

SHA256
8465ccea51b81849782c99d54e64e355b55f8b343beaabfee5ecdc8498e651eb

SHA512
421b370378b1627ec45f330e078a0465c9d0dd51a1b998679ffae0c8e24a3ed89a8c280f7ff7b9af7cda79fce5cda3695ed85d1d12a72da1e2f65f80e28c7c70

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
109KB

MD5
3ba3315404a01f8405f6199d73da4794

SHA1
87cfd625af41cad7832a2d99d1ff80548a0c6f7f

SHA256
7de64485a46df417ce10d366fd5f730f7c8dbb43c1ef4beda8619aafd266cd78

SHA512
17d7198036fad61a9deb22ceca4fec23cbcc3f9c53cd69156f51e249f4bc8b03b8bc627f46f7506b2b20e00bbe3fb28589a54eb1a0ad25b3ae91abd3e1ee2845

Download Submit
memory/208-374-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/468-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/528-358-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/532-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/592-447-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/724-392-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/932-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/952-192-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/976-43-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/980-316-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1004-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1316-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1332-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1376-298-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1544-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1676-156-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1776-411-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1788-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2016-278-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2064-352-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2112-101-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2260-364-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2308-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2312-109-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2432-86-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2568-60-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2592-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2616-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2632-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2752-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2812-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3104-252-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3164-350-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3168-76-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3300-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3344-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3364-435-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3400-339-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3460-236-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3468-429-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3488-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3644-296-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3648-132-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3820-231-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3828-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3948-394-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4076-280-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4120-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4252-140-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4300-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4380-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4436-417-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4448-183-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4480-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4552-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4560-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4608-95-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4736-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4788-308-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4792-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4912-418-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5048-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5088-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5104-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads