88129f58c109d923de5c065540bd9fb8168b0a5c4557c2c9a0fab6009481da71

Analysis

max time kernel
8s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 18:20

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-24T18:21:08Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_21-dirty.qcow2\"}"

Report Analysis Logs

General

Target

88129f58c109d923de5c065540bd9fb8168b0a5c4557c2c9a0fab6009481da71.exe
Size

128KB
MD5

a5084ddd8d723df69bd7e13c4248464f
SHA1

2e0dfa3fd0d7cfd863559f491344f0f6009becd0
SHA256

88129f58c109d923de5c065540bd9fb8168b0a5c4557c2c9a0fab6009481da71
SHA512

ef30ac33643ba0d819125d13a1a20842311bc2f331767f87c6fadb4fa7c98a6beda373416628b9b07f55686c51ad2cd3de3ba0a3bb0d23a2c6ec9905c3941e07
SSDEEP

1536:8CQj5nrs2e3G6zV3/7LGq0e9j7ykqHTKhXrZcWiqgF72S7f/QuMXi1oHk3CYyq:8ttI2r6h3//T9XrmW2wS7IrHrYj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcopbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cojqkbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cojqkbdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfebonm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Debeijoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clckpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coagla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cefemliq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efpajh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpemacql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efpajh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe

Executes dropped EXE 64 IoCs

pid	Process
3400	Bpcgdfaa.exe
3180	Badcln32.exe
3672	Bikkml32.exe
3412	Clihig32.exe
3048	Cccpfa32.exe
4588	Ceblbm32.exe
2324	Clldogdc.exe
5004	Cojqkbdf.exe
648	Caimgncj.exe
1584	Cipehkcl.exe
1600	Cpjmee32.exe
1232	Cchiaqjm.exe
1848	Cefemliq.exe
3176	Chebighd.exe
4884	Clqnjf32.exe
4236	Coojfa32.exe
2668	Ccjfgphj.exe
3940	Ceibclgn.exe
3300	Clckpf32.exe
4312	Coagla32.exe
4152	Capchmmb.exe
2588	Dhjkdg32.exe
4704	Dlegeemh.exe
3852	Dcopbp32.exe
544	Dhlhjf32.exe
4316	Dofpgqji.exe
2428	Dephckaf.exe
3816	Dpemacql.exe
1128	Dcdimopp.exe
4708	Debeijoc.exe
1948	Dphifcoi.exe
2984	Dcfebonm.exe
4408	Dfdbojmq.exe
552	Dhcnke32.exe
3944	Dpjflb32.exe
4824	Domfgpca.exe
4632	Dchbhn32.exe
4444	Ejbkehcg.exe
1428	Elagacbk.exe
4964	Epmcab32.exe
3432	Eckonn32.exe
4256	Efikji32.exe
3384	Ejegjh32.exe
3312	Epopgbia.exe
3628	Ecmlcmhe.exe
4924	Eflhoigi.exe
1748	Ehjdldfl.exe
2704	Eqalmafo.exe
5036	Ecphimfb.exe
2536	Efneehef.exe
1228	Ehlaaddj.exe
4492	Eqciba32.exe
4896	Ecbenm32.exe
2948	Efpajh32.exe
3172	Ehonfc32.exe
1772	Eqfeha32.exe
4772	Fjnjqfij.exe
1860	Fcgoilpj.exe
4356	Ffekegon.exe
2672	Ficgacna.exe
4052	Fcikolnh.exe
1416	Ffggkgmk.exe
3372	Fifdgblo.exe
1896	Fqmlhpla.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Cipehkcl.exe	Caimgncj.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mgqlqc32.dll	Badcln32.exe
File opened for modification	C:\Windows\SysWOW64\Eqciba32.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Aodldljj.dll	Cpjmee32.exe
File created	C:\Windows\SysWOW64\Dofpgqji.exe	Dhlhjf32.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Cojqkbdf.exe	Clldogdc.exe
File created	C:\Windows\SysWOW64\Eoodnhmi.dll	Epopgbia.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Ejbkehcg.exe	Dchbhn32.exe
File opened for modification	C:\Windows\SysWOW64\Eqalmafo.exe	Ehjdldfl.exe
File opened for modification	C:\Windows\SysWOW64\Dchbhn32.exe	Domfgpca.exe
File opened for modification	C:\Windows\SysWOW64\Elagacbk.exe	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Mcplce32.dll	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Cojqkbdf.exe	Clldogdc.exe
File created	C:\Windows\SysWOW64\Dphifcoi.exe	Debeijoc.exe
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Bikkml32.exe	Badcln32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ficgacna.exe	Ffekegon.exe
File created	C:\Windows\SysWOW64\Ghamqdaj.dll	Cojqkbdf.exe
File created	C:\Windows\SysWOW64\Aaokiafg.dll	Chebighd.exe
File created	C:\Windows\SysWOW64\Ehlaaddj.exe	Efneehef.exe
File created	C:\Windows\SysWOW64\Fcikolnh.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Hofddb32.dll	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gmkbnp32.exe
File opened for modification	C:\Windows\SysWOW64\Clldogdc.exe	Ceblbm32.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Gbcakg32.exe	Fodeolof.exe
File created	C:\Windows\SysWOW64\Ebjmif32.dll	Dephckaf.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Cchiaqjm.exe	Cpjmee32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Agbpag32.dll	Ficgacna.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Caimgncj.exe	Cojqkbdf.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7008	7060	WerFault.exe	286

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpcgdfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccjfgphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clldogdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcdimopp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dcopbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmkpqcp.dll"	Dcfebonm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geekfi32.dll"	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecmlcmhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqciba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmljla32.dll"	Ccjfgphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chebighd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmggiogn.dll"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cniohj32.dll"	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampkqqjm.dll"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakfehok.dll"	Fijmbb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3400	5020	88129f58c109d923de5c065540bd9fb8168b0a5c4557c2c9a0fab6009481da71.exe	86
PID 5020 wrote to memory of 3400	5020	88129f58c109d923de5c065540bd9fb8168b0a5c4557c2c9a0fab6009481da71.exe	86
PID 5020 wrote to memory of 3400	5020	88129f58c109d923de5c065540bd9fb8168b0a5c4557c2c9a0fab6009481da71.exe	86
PID 3400 wrote to memory of 3180	3400	Bpcgdfaa.exe	87
PID 3400 wrote to memory of 3180	3400	Bpcgdfaa.exe	87
PID 3400 wrote to memory of 3180	3400	Bpcgdfaa.exe	87
PID 3180 wrote to memory of 3672	3180	Badcln32.exe	88
PID 3180 wrote to memory of 3672	3180	Badcln32.exe	88
PID 3180 wrote to memory of 3672	3180	Badcln32.exe	88
PID 3672 wrote to memory of 3412	3672	Bikkml32.exe	89
PID 3672 wrote to memory of 3412	3672	Bikkml32.exe	89
PID 3672 wrote to memory of 3412	3672	Bikkml32.exe	89
PID 3412 wrote to memory of 3048	3412	Clihig32.exe	90
PID 3412 wrote to memory of 3048	3412	Clihig32.exe	90
PID 3412 wrote to memory of 3048	3412	Clihig32.exe	90
PID 3048 wrote to memory of 4588	3048	Cccpfa32.exe	91
PID 3048 wrote to memory of 4588	3048	Cccpfa32.exe	91
PID 3048 wrote to memory of 4588	3048	Cccpfa32.exe	91
PID 4588 wrote to memory of 2324	4588	Ceblbm32.exe	92
PID 4588 wrote to memory of 2324	4588	Ceblbm32.exe	92
PID 4588 wrote to memory of 2324	4588	Ceblbm32.exe	92
PID 2324 wrote to memory of 5004	2324	Clldogdc.exe	93
PID 2324 wrote to memory of 5004	2324	Clldogdc.exe	93
PID 2324 wrote to memory of 5004	2324	Clldogdc.exe	93
PID 5004 wrote to memory of 648	5004	Cojqkbdf.exe	94
PID 5004 wrote to memory of 648	5004	Cojqkbdf.exe	94
PID 5004 wrote to memory of 648	5004	Cojqkbdf.exe	94
PID 648 wrote to memory of 1584	648	Caimgncj.exe	95
PID 648 wrote to memory of 1584	648	Caimgncj.exe	95
PID 648 wrote to memory of 1584	648	Caimgncj.exe	95
PID 1584 wrote to memory of 1600	1584	Cipehkcl.exe	96
PID 1584 wrote to memory of 1600	1584	Cipehkcl.exe	96
PID 1584 wrote to memory of 1600	1584	Cipehkcl.exe	96
PID 1600 wrote to memory of 1232	1600	Cpjmee32.exe	97
PID 1600 wrote to memory of 1232	1600	Cpjmee32.exe	97
PID 1600 wrote to memory of 1232	1600	Cpjmee32.exe	97
PID 1232 wrote to memory of 1848	1232	Cchiaqjm.exe	98
PID 1232 wrote to memory of 1848	1232	Cchiaqjm.exe	98
PID 1232 wrote to memory of 1848	1232	Cchiaqjm.exe	98
PID 1848 wrote to memory of 3176	1848	Cefemliq.exe	99
PID 1848 wrote to memory of 3176	1848	Cefemliq.exe	99
PID 1848 wrote to memory of 3176	1848	Cefemliq.exe	99
PID 3176 wrote to memory of 4884	3176	Chebighd.exe	100
PID 3176 wrote to memory of 4884	3176	Chebighd.exe	100
PID 3176 wrote to memory of 4884	3176	Chebighd.exe	100
PID 4884 wrote to memory of 4236	4884	Clqnjf32.exe	101
PID 4884 wrote to memory of 4236	4884	Clqnjf32.exe	101
PID 4884 wrote to memory of 4236	4884	Clqnjf32.exe	101
PID 4236 wrote to memory of 2668	4236	Coojfa32.exe	102
PID 4236 wrote to memory of 2668	4236	Coojfa32.exe	102
PID 4236 wrote to memory of 2668	4236	Coojfa32.exe	102
PID 2668 wrote to memory of 3940	2668	Ccjfgphj.exe	103
PID 2668 wrote to memory of 3940	2668	Ccjfgphj.exe	103
PID 2668 wrote to memory of 3940	2668	Ccjfgphj.exe	103
PID 3940 wrote to memory of 3300	3940	Ceibclgn.exe	104
PID 3940 wrote to memory of 3300	3940	Ceibclgn.exe	104
PID 3940 wrote to memory of 3300	3940	Ceibclgn.exe	104
PID 3300 wrote to memory of 4312	3300	Clckpf32.exe	105
PID 3300 wrote to memory of 4312	3300	Clckpf32.exe	105
PID 3300 wrote to memory of 4312	3300	Clckpf32.exe	105
PID 4312 wrote to memory of 4152	4312	Coagla32.exe	106
PID 4312 wrote to memory of 4152	4312	Coagla32.exe	106
PID 4312 wrote to memory of 4152	4312	Coagla32.exe	106
PID 4152 wrote to memory of 2588	4152	Capchmmb.exe	107

C:\Users\Admin\AppData\Local\Temp\88129f58c109d923de5c065540bd9fb8168b0a5c4557c2c9a0fab6009481da71.exe
"C:\Users\Admin\AppData\Local\Temp\88129f58c109d923de5c065540bd9fb8168b0a5c4557c2c9a0fab6009481da71.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\SysWOW64\Bpcgdfaa.exe
  C:\Windows\system32\Bpcgdfaa.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\SysWOW64\Badcln32.exe
    C:\Windows\system32\Badcln32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\SysWOW64\Bikkml32.exe
      C:\Windows\system32\Bikkml32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3672
    - - C:\Windows\SysWOW64\Clihig32.exe
        
        C:\Windows\system32\Clihig32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3412
      - C:\Windows\SysWOW64\Cccpfa32.exe
        
        C:\Windows\system32\Cccpfa32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Ceblbm32.exe
        
        C:\Windows\system32\Ceblbm32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Clldogdc.exe
        
        C:\Windows\system32\Clldogdc.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Cojqkbdf.exe
        
        C:\Windows\system32\Cojqkbdf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Caimgncj.exe
        
        C:\Windows\system32\Caimgncj.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Cipehkcl.exe
        
        C:\Windows\system32\Cipehkcl.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Cpjmee32.exe
        
        C:\Windows\system32\Cpjmee32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Cchiaqjm.exe
        
        C:\Windows\system32\Cchiaqjm.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Cefemliq.exe
        
        C:\Windows\system32\Cefemliq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Chebighd.exe
        
        C:\Windows\system32\Chebighd.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Ccjfgphj.exe
        
        C:\Windows\system32\Ccjfgphj.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        23⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        24⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        27⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4708
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        32⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        34⤵
        Executes dropped EXE
        
        PID:4408
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        40⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        41⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3384
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3312
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        50⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        54⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        56⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        57⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        59⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4052
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        64⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        65⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        66⤵
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        67⤵
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3368
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        69⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        70⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        71⤵
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        72⤵
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        73⤵
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        75⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        76⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3648
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        79⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        81⤵
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        84⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        85⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        86⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        87⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        89⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        90⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        92⤵
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        94⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        95⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        96⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        97⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        98⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        99⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5952
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        101⤵
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        103⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        104⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        107⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        108⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        109⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        110⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        111⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        112⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        113⤵
        Drops file in System32 directory
        
        PID:5728
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        114⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        115⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        116⤵
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        117⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        120⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5360
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        122⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        123⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        124⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        125⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        126⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        127⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        128⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        130⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        131⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        132⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        133⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        134⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        136⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5448
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        140⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        141⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        144⤵
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6256
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6300
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6344
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        148⤵
        Drops file in System32 directory
        
        PID:6388
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6476
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        151⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6564
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6604
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        154⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        155⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        156⤵
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6816
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        159⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6904
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6948
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        162⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        163⤵
        Drops file in System32 directory
        
        PID:7028
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        164⤵
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        165⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        166⤵
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        168⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        169⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6372
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        172⤵
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6580
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6644
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6712
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6784
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        177⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6916
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        179⤵
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        180⤵
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7116
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6192
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        183⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        184⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        185⤵
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        186⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        187⤵
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        188⤵
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        189⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        190⤵
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        191⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        192⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6500
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6720
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        195⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        196⤵
        Modifies registry class
        
        PID:7104
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        197⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        198⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        199⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7060 -s 420
        200⤵
        Program crash
        
        PID:7008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 7060 -ip 7060
1⤵
PID:6624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Badcln32.exe

Filesize
128KB

MD5
0d6d653cbd85d978b4d7b3907a2ae53d

SHA1
71093b4493c777080039978d408a5ad5b1e98387

SHA256
6d5eb9366bc104277fc42b8b5aca8faea7d2a30e49dde5ecd5771f66392f6c10

SHA512
fde1233e5cf12eba597b294ef4d6c44debd8201fac3d96429d36de32cfa7dff3442219b8e9eb81065defd13b3a0b75b2b492b4e8266e668eb8cef87b3099c8f2

Download Submit
C:\Windows\SysWOW64\Bikkml32.exe

Filesize
128KB

MD5
a63e5b4b99b1631ce61d64fabdb8ed87

SHA1
d5d41d192cf0fa3e63c158c3de31f38a965f53ca

SHA256
2924b73ae70f8d195f03fd64a43166282034eb5053e380d15a10a0f1838a8f5a

SHA512
84ff760ab6869f5f14c9c3623dc715f177bc428a8a8637e0c86e4dbee13b71bb93a2b064ff18fb78ad9039a9e76e5e79be967c5ab1975bac0adf169b08444d18

Download Submit
C:\Windows\SysWOW64\Bpcgdfaa.exe

Filesize
128KB

MD5
45dbbf4d7ca1bfe19cee3b0e9e1690b1

SHA1
c4d4404163a8a7c7c29cc05b1a7cf196a3de0811

SHA256
35c8990d2d6ed4d47f1d4f32d578dbc670e7963c2231089390c029f40edec2b6

SHA512
c9f6636a607e9b9b79500dbf7dfee52bdf4e8c55f502f168f3899aececd3df86ef2ddfabaab78034e19f61427f6d5c36dff433c74e714ca5b28ed3ba0e5d5a37

Download Submit
C:\Windows\SysWOW64\Caimgncj.exe

Filesize
128KB

MD5
a86dac910c2785890b794c646fe5190a

SHA1
eff128afbbe98f44e1d7ddf0aa72a95274320357

SHA256
2974ebb6ae2f62b57ca0a77806449ceb48cb7b4af05cda343b6fac110b5f7d37

SHA512
37c47c93e14ff0feb06dbb895aca09848007c2e32dad6293b293531ee2c93287065890810cadf788ae3d84bc92c02535fd62bec09d3307dc04e3e19b5d8af7d7

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
128KB

MD5
f9cc88fc9b0b3c4c6102430cd571ba44

SHA1
2b25cb40d84101ff1bb309c6a1ff0d43c23a1fea

SHA256
36158356bec8bf6f96f3277010d3c96d5962740b0c666f82e883f0f3f49a7d02

SHA512
5cea0ea49d0b8a3011ec0e9563256295b446d9093c681dd2f93f8661225d71d914da169a930a79fc081636b1405230c5b945f2a48b39378969f47c3faeb1d0f3

Download Submit
C:\Windows\SysWOW64\Cccpfa32.exe

Filesize
128KB

MD5
f03b37977f118f0a1a452fd23b069c9a

SHA1
66be5a5d5e0d3dcba3983d4ca2d0b33c9ca1cfae

SHA256
95b2deb42775611e9a05729d7edd36e360b78867f1d151dfa91db074f25db8bd

SHA512
e03a8c6e443ef700ae27af6bf4662bb9b16f8e350b12fd55c3e1bdf19f57732fbb83d42df2c8317bd89c1b8afebe235f7fc409f14201a2a48624c576d5e9dd7b

Download Submit
C:\Windows\SysWOW64\Cchiaqjm.exe

Filesize
128KB

MD5
f01e4110b2682d189ebd329b9c230736

SHA1
b1f4e1feb18b42def128e4c64cda8f5451b46d3a

SHA256
d5c49c1dc4d4a63d0b73cd45537c154cc406e2b72f840b6f93e4c7edcd6f2e79

SHA512
bdb146cb1c9f58ad237adce419b73bf8344d7ec99eeb380842783f8b57a6a390cae0a5291a184439d9bc9013c459ecb2442a3f6bca6e38ddf4a5b58790ea0aa1

Download Submit
C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
128KB

MD5
bbe86fbe4e57f7c5edd7699f3ab53f4d

SHA1
5321735e28c36603a4a72d4cf3633b553bea08a7

SHA256
24b6cb36ce235a04e4d015005872470d1669e25600368edd43e5a45a71f3569d

SHA512
cfde145fcc715b874338952144a67fbe08dff8d3929b7dfda2828fd9aaf6a434a934df164755522d3162d9d8986457b6510aeffa6030ac7b832aeba7489bc8f7

Download Submit
C:\Windows\SysWOW64\Ceblbm32.exe

Filesize
128KB

MD5
849b6709606669149c743509895f41fb

SHA1
df79178cee4b0ad3accc66d8819bb4cbf15fd590

SHA256
442dd1554ebee33fc20d84805575f0d60b9c5498a4c5b04ec2b5f33eef6ef327

SHA512
75d01f9c7bd7e0b64ce24214e02fb3250edd4afd2696c0b6f6b5a91eaffdcb973b3f1abbc876cc059694143bd8c41a9aef018e5d50d62fef6a99a9eda1af3836

Download Submit
C:\Windows\SysWOW64\Cefemliq.exe

Filesize
128KB

MD5
23e109aaaa6118795cbcce9ed180a9d8

SHA1
23462da3e6823fbbd99f7b9e9071618959b84fed

SHA256
ccee6514b68a5f0585f38cd79852fab822a2a1780bc84a49f3f79b2636c2b936

SHA512
6c4a47cbb6eff287cbbd41dafe158e7830f612430c79e07ebee18fc65bff4c25597e7360db39b56b8988db01f48877f17bde4dfcfa0dc1590918326749d337d0

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
128KB

MD5
2844e60a82eb952e38e0da354d8457a4

SHA1
f515a6f69464cc58548806a27b23e300fc72900a

SHA256
3dd098bd202c955995b3d447e661a17fd7145de2a594ac1abf42c3024eaa99f6

SHA512
3a6d97a769694f11dade8160a78210aa8884f4a38e0ee028229159f6ac4c8377b266b7620d517bb5240573cb06727c6f9d3e3757306b1b98c56d3cdd94a0209e

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
128KB

MD5
cdd16b818f0b1cced7fe6eb50ddd067e

SHA1
882ebd2ae007d02dbecf2e047254b2b2b5ee569c

SHA256
3f8f408aabe86e2845e8556383a91a3276e95de6e7d4541355d1da3e03f1c925

SHA512
b4f8e94a3ab498cc3ed3185988ec01ae2de1780fc86b29a6f0d7ef95107515e17bd3b0cb367d183cbde878090286658a814df6149b5f1bfd6983c3d3d13c7741

Download Submit
C:\Windows\SysWOW64\Cipehkcl.exe

Filesize
128KB

MD5
570ae1cc29a3c75ec62f2d81fbbd6a9f

SHA1
4ef7e06c814fcdf986176c17aa7cfc41b19f6a4f

SHA256
144c964e2b613d59d0bf494d08775aecb69bb044746f98b4765f0f8e52ab86f2

SHA512
49e351d3e73eaf269c8a654f7142262c61717fa1a11a238dbcbfe39bb1074cdff0bff75a871938fc91ad86ddb4a3cbdc1ac32a3360bbe31dd65d17c9365fac38

Download Submit
C:\Windows\SysWOW64\Clckpf32.exe

Filesize
128KB

MD5
2a999145828abf7f8ab71b2986e9bc1a

SHA1
e88b5118436c3a36ef86e549bf10cbcd9cb47c35

SHA256
8e1051db921dbc706c8d30cd60a1a20f6d60bb226ffa31eaf7eb3163b303b7e5

SHA512
aaa14322671c978a92f0a1238323fa221aeae9211e0347e356a06b1bf9d55ddd770261dba51257bb0583e7d4c8365ffc6b566e13b04e109b16bdfa72a91b383a

Download Submit
C:\Windows\SysWOW64\Clihig32.exe

Filesize
128KB

MD5
f9a298111df7f4f37228fe18fe312d75

SHA1
8863b603400cc27f7a1ee55486cd8b42730dc706

SHA256
b8e808f75a57f9ba7cc65b88ff945ee18667ea31f122b00cd08cee3ced3bc3ba

SHA512
cdaae3f9b105094304e5010e7dc9cb4a9aed77f1dcab331fb781a61b1c48a2263e00d376907bec59ff75127cf20d994bc614950e7d513e8cb49c5a7a20ec9b96

Download Submit
C:\Windows\SysWOW64\Clldogdc.exe

Filesize
128KB

MD5
a7d80b70f442be09d14ddb9520599bca

SHA1
56bcb87ad5d0f769319a57b1943042aefbb199c8

SHA256
fa03dc8a364d9a21f416f2e68535719f8b0c26e6fd1a8611b6320d017e011359

SHA512
e6ce31aec05e1b7e32fc1ab0d83061a8f5588c0bd23f10b91195844b0270528ec4d96a97eb846919c7cbda79c32bd7f804f51f0db104857959ebfa8413f539cf

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
128KB

MD5
4d4600044d393773e3f49a767bc745a3

SHA1
c2ecbf245ad72eaa18a00898ccb7461b63e16a4e

SHA256
42bebf865693c4a0b2a31bbcd5b6708ee9b49742bb4d0925f4fe749104a1237d

SHA512
eadcdda0a6860fba730b9ba7edd1a0e7a59ce72c22299909afa885da52c7c7ff47dbf42877ce6574dbcafe4af41b5fc209e14701be792c70ef05ef71e8d0b842

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
128KB

MD5
0c0f876d41035fced186cdba1398c763

SHA1
16ece61ccfc65de19e8083c75256e7e53e43e3a2

SHA256
70140b481bc3e9e8905e0fca562637d962de0bba9c279c9aa1d2416451db9a15

SHA512
c443fa7470c98389dd760a139ef3d8197a7b3119e869b2ef21b2be9c8f00856a648628ff6a62210823fa34c91034b8a07e1237e269f5acc333398078b4ca7353

Download Submit
C:\Windows\SysWOW64\Cojqkbdf.exe

Filesize
128KB

MD5
3da50e7f28f3697b0223d06dc254b837

SHA1
4e43820923e66f999bcd0e56c8f24f9375a97ecd

SHA256
fcc49cabd0f72c56d2e968609d40841de15772a6ecc990d71e6a6c51109eed33

SHA512
591d590a687a715d574435311a476dd7a879f24091fb9cd297b7e5fb941a40c9c8a7e189af39736e420fd3072ad2725107a668dae6c659f0234dada561164dd4

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
128KB

MD5
97534249623e3bef17c12ee26625f8f0

SHA1
f6c61b5ce9d206032f2f6b19622080203fcde3f4

SHA256
e344136bce33e9954ee1fc6d2164c9af5d357054866f55e7f2213ae36c2811b7

SHA512
5edf28c85d52d48c4a18b5ebf1361a203e196d1a5cfecf861b8247814accac28217e91013970ad6c7c6e13b443c2c83235492746db442029ec74eac4bc5d618f

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
128KB

MD5
2389e8b6c6db1f133a0662d319b0a28a

SHA1
38c58b374280faea6b6ed99c00f61d26623c8a6a

SHA256
17a93ecfea26e341ed7483a92a19e94b38e31a978e729da4bde7e8101ac4a3ca

SHA512
ad9210b6faed0a37cb335367755cdb2ba3640e3290edf3a625440b0287e6310a80932172d1b5484bf074fa02b0cf4cdb1406862224f63035df97c4668f11fb9c

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
128KB

MD5
c9cff432b4c1b6d4d75984e1a74ae8e6

SHA1
de39c2426283ea28467285a69214fb595d60e47d

SHA256
c06bf4968ec142e0735f2d4771aeb24115233e3e850f3fe3a05d55b0a14aa041

SHA512
c9d95c8b5beecd95299150aae4a6b2d8ae62699f62bbb9317c0ed3008922b45caa8374840fd9a91165f38707f83239e9b50d17fbc0b9e256f08a251bff42ccd7

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
128KB

MD5
bb6e72c7c1ae045871deb3d6c369695a

SHA1
8e25faf4ff43bfa750dd0df428eb882cf77a9a8e

SHA256
3b8d3aaba5c2911531bc8142a68942b285e70214de530e92e2fda016727925ea

SHA512
38983e3bc0380bd969bb8b8b3d01ac15c14e6c1e367fccbc49ffe0e07b45fefe8eaa6d5e9aae8a050ec57aed671ec5c9f018481b56c62e22243a8f996b6a89cb

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
128KB

MD5
577169c068000e3d3f976054c9033668

SHA1
26cd0d416a1e728afc668651a21ba1d268fea2ba

SHA256
9668a79f1c32c41591c6e5471e3eb22bcc02344eee0afe4e072c8eab77a739c1

SHA512
baacdac266955cfaad9cc99769cf1dffddf60b2a8ef5a63ee1b7fbea1063fc74d96393c2a7bb95a03f540fdfd293a6277d54ba4491a547afcd75271e08ebf4b4

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
128KB

MD5
2d7b8deb20d2ad850fa1bfa302e3ff83

SHA1
26ba944fbeb8ada5389cb4cae5e3f856648b1c0a

SHA256
cc5a43b37bb9e9134e8a0d2b3c72a5e6d4a2a588e2e3db0a1d0ae0719804ba27

SHA512
0307b6acb0fe2fe0976abcae95dfa6117b709d913b341b5a74118bd3cd694c77fa041b5794def9f22fb4d6854bef51067c42d0257197e6fc68acdee17282c74c

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
128KB

MD5
1a5445bfb40d78514a06d10159aacef6

SHA1
806f66de7ae1c2008c70f2d0d416ff90b5ca8eb7

SHA256
0c6a235be47550c591203a0252b84a19e02e73ffe2f081d1609dc23c1ef4402b

SHA512
f1858996313d4dd5ff2556c4577fd6aca03d8c30c6425ee564d9fa79d60d1ed2e001ee9290bc7ced45644f64b893a5670be6e4ebdf7e95be2436fe2975d6d0c2

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
128KB

MD5
e1b5d173785024032cbf1a7e7c8a86c1

SHA1
ecbdeb5c60c63dbfb07f48ca87b55285ac41c586

SHA256
6241b2b03e5f58192d71fe6cdf35b2a0b922557919ff848d81fee943a738b936

SHA512
76f1f918a038bf2c8ae26a927375e486c2ca1f95ba433a83de31ce2bef72dd5e40a7fab8e15c664d684964cc93e4a00bca4ccf92d87d2922b5d93ea21b84faae

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
128KB

MD5
c86718888e268847b517e759ae7deba1

SHA1
2483c0f4693598cdcf0e639b6643d53539637f6a

SHA256
be2fa8f6e6b1edfe3925b9fc3545ceef6b6ec1e85697e8092a433d5f4cd5623c

SHA512
a81c220b8937489f88554c6d302774a432197fa25521013ded90d90e4ad5bf756ef2dc7773eb43ce7f35a8d44b84648c58d280dd36f72ce4ec3d3858712402eb

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
128KB

MD5
094424444c182626eddf7e27035c8dce

SHA1
2f1b93e1471625edb20e4868c088e7b772d40243

SHA256
a82e7fcd1138a5cbefa0069b8749cf7d443958c828666871a287697418e1b1c9

SHA512
32d6780b077c7381ff81ed8c18d05792eb95852d3e1660ea28ced9257bb49f18eda7163ea0f8e997f63aea85b903c4b9877e2965aaafddc249ecd5966881747f

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
128KB

MD5
3d9b7d0a53011c16031e344c200cc763

SHA1
5be9be82b8016491a976f8d071588aa226d9a7df

SHA256
8d6df5fe8cafeee00665f9c167715a36d836a44c54f1e31535dcf15baa91512d

SHA512
ffff8e8eb26cee228a26841baf91b1af4a6c38c11617f8ed30315fbbf10708da91a5191324fffa2ec515c8743034e6658f272fcf4f0812998692dc9ce056e6b5

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
128KB

MD5
1249651bfe86baf2132fa3bf68896f13

SHA1
1565abf39c0357b15319c0a061cda064ad72709a

SHA256
705f7158b13638111aff130c6c9e6866dd8e32d0470dce579496bba759670983

SHA512
87521872debc41857501e0a480a6502764e0088089a60707fdb5393054593ab65c8c9a5db52acaea9e050aa7d18812a76e8cdd817b7e1960d6271d2422f271bb

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
128KB

MD5
8a831cf819604cbb0992702905d23702

SHA1
613b446ec1e578f9b8eed6dc92fec5f760ba926e

SHA256
69e6d51c57abe2f5ade3c684cf2e289ebdb2b51f7b28822871a7fc9aceb5a906

SHA512
ec10c451f0abad61dee3b5af8f9c2318fa078e942ec928bb23a43a2cf2cafe8fed7232471ac7f8609dc7793eea2af5409f529cd4ae79b43db086822e4a64401d

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
128KB

MD5
9b7a48a5169b57a15e5276f4bca7f656

SHA1
6ac9185ac5c5dad4746d8d1190e9726072a70c90

SHA256
e848bdcd00be296cf53ca689fa12f40363fa56283486cde779c2527ef5a3c5d6

SHA512
7ce21779544d4bd34fb8c9602c333f777f0983a5c3a2135b7355e5448f9fd9ae47e2ce64933cc3f6734f331e8effc548406351959696843fe97a9bad0aef72f1

Download Submit
C:\Windows\SysWOW64\Mkomif32.dll

Filesize
7KB

MD5
f5be6c2c923fd3de0687c1262d89d05c

SHA1
fb274282acbed3864b268c0dd292f94ea9a7d641

SHA256
44da0d2471713da40f410261b196cf7a5ef51e106ddb61a5f396eded97010246

SHA512
680858bcad2afdda171b638f52d4668e2eb128cb096aa4027bbfa6f499b9846555f8fb8729d7b4d1f226577c3bd8eb163e8bac70fa9d836f073bf5a90bc2da0a

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
128KB

MD5
3917a1276b1416952a73f73421dec744

SHA1
3fbd38b04e15a3908d36e8e29556a34336d6f59d

SHA256
7ac6ed519a81fe8fc8945ee38abf25b320c10acbc4c7ce0eefba2532c6f93cfe

SHA512
d4a4889ea2738868a78eadaece8dcb97ddcd4e9534cc615e66fcde1e13d2fca3ae1b9f185a591db8ca0df0b1057f7df18d03271392cb5d458c99871a71cc60ee

Download Submit
memory/544-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/552-272-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/648-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1128-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1228-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1232-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1416-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1428-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1772-400-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1860-412-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2324-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2704-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2984-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3172-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3176-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3312-328-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3372-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3384-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3400-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3412-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3432-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3628-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3672-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3852-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3940-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-430-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4236-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4256-320-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4316-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4356-418-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4444-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4492-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4632-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4708-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4772-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4896-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4964-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5004-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5020-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads