e8b48a38fee2cce4612e1f8b028932ab6f47fd7bc2e784e62fe55a5792b8b0b8

Analysis

max time kernel
139s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8b48a38fee2cce4612e1f8b028932ab6f47fd7bc2e784e62fe55a5792b8b0b8.exe
Size

96KB
MD5

af929b4916b48b97fb465723c0dac285
SHA1

169516c734e47004e6f7f78acf23feb70b2ad8d2
SHA256

e8b48a38fee2cce4612e1f8b028932ab6f47fd7bc2e784e62fe55a5792b8b0b8
SHA512

38536c15aeea1f12e4eb0bd153474883c05a33e3559f6967dcf9bb8ed839e8f42862e78e723b03313be29639805b076dee3c01078389e107bf315b70906f35a2
SSDEEP

1536:0UY2pGV8J/ssmzN3EpfL4Z2buZF+PK6ON7pbK/MAMq/HduV9jojTIvjrH:4kGy5ZmB0FL4Z2PjON7pbK/MPq/d69j1

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cedihl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhlhjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cidncj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpgqpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djlddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dagiil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coojfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe

Executes dropped EXE 64 IoCs

pid	Process
3608	Chphoh32.exe
1572	Cpgqpe32.exe
460	Cedihl32.exe
3284	Clnadfbp.exe
2984	Cakjmm32.exe
2340	Cibank32.exe
4640	Cpljkdig.exe
4616	Coojfa32.exe
1428	Cidncj32.exe
2628	Clckpf32.exe
2024	Capchmmb.exe
3732	Digkijmd.exe
3008	Dpacfd32.exe
4464	Dcopbp32.exe
5100	Diihojkb.exe
4892	Dhlhjf32.exe
4296	Dpcpkc32.exe
2104	Dofpgqji.exe
4352	Djlddi32.exe
4852	Dohmlp32.exe
3944	Dagiil32.exe
3492	Djnaji32.exe
4112	Dllmfd32.exe
648	Dokjbp32.exe
2732	Dlojkddn.exe
3952	Dchbhn32.exe
4128	Elagacbk.exe
3556	Eckonn32.exe
4764	Efikji32.exe
1540	Epopgbia.exe
652	Ebploj32.exe
4312	Ehjdldfl.exe
492	Eodlho32.exe
4140	Ejjqeg32.exe
2764	Eqciba32.exe
4520	Eofinnkf.exe
2504	Efpajh32.exe
2876	Ehonfc32.exe
3584	Eqfeha32.exe
3588	Fbgbpihg.exe
2512	Fjnjqfij.exe
4360	Fmmfmbhn.exe
3892	Fcgoilpj.exe
4952	Ffekegon.exe
548	Ficgacna.exe
4444	Fqkocpod.exe
380	Fbllkh32.exe
4144	Fjcclf32.exe
2576	Fqmlhpla.exe
3408	Fbnhphbp.exe
2204	Fjepaecb.exe
3108	Fmclmabe.exe
3092	Fobiilai.exe
3504	Fbqefhpm.exe
2500	Fjhmgeao.exe
3888	Fqaeco32.exe
1100	Gbcakg32.exe
4504	Gimjhafg.exe
5016	Gogbdl32.exe
3220	Gbenqg32.exe
1084	Gjlfbd32.exe
4576	Gmkbnp32.exe
4340	Goiojk32.exe
4972	Gjocgdkg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Jpqikhah.dll	Chphoh32.exe
File created	C:\Windows\SysWOW64\Gidphq32.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Jepjeoec.dll	Cpljkdig.exe
File created	C:\Windows\SysWOW64\Efpajh32.exe	Eofinnkf.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Elagacbk.exe	Dchbhn32.exe
File opened for modification	C:\Windows\SysWOW64\Fjepaecb.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Jilbbcha.dll	Cedihl32.exe
File created	C:\Windows\SysWOW64\Habnjm32.exe	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Cpljkdig.exe	Cibank32.exe
File created	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Gifmnpnl.exe	Gfhqbe32.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Dpacfd32.exe	Digkijmd.exe
File opened for modification	C:\Windows\SysWOW64\Eqciba32.exe	Ejjqeg32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jplmmfmi.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Fjnjqfij.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fqaeco32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Dpcpkc32.exe	Dhlhjf32.exe
File created	C:\Windows\SysWOW64\Fjhmgeao.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Eceakm32.dll	Dofpgqji.exe
File created	C:\Windows\SysWOW64\Miimhchp.dll	Eqciba32.exe
File created	C:\Windows\SysWOW64\Qfiapa32.dll	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Hfjmgdlf.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kkihknfg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6328	6400	WerFault.exe	282

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpljkdig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojigmkeg.dll"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cichoi32.dll"	Efikji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hionfema.dll"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclgpkgk.dll"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miimhchp.dll"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphlemjl.dll"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqqjmnii.dll"	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgkkkd32.dll"	Dpacfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfedle32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 3608	4016	e8b48a38fee2cce4612e1f8b028932ab6f47fd7bc2e784e62fe55a5792b8b0b8.exe	84
PID 4016 wrote to memory of 3608	4016	e8b48a38fee2cce4612e1f8b028932ab6f47fd7bc2e784e62fe55a5792b8b0b8.exe	84
PID 4016 wrote to memory of 3608	4016	e8b48a38fee2cce4612e1f8b028932ab6f47fd7bc2e784e62fe55a5792b8b0b8.exe	84
PID 3608 wrote to memory of 1572	3608	Chphoh32.exe	85
PID 3608 wrote to memory of 1572	3608	Chphoh32.exe	85
PID 3608 wrote to memory of 1572	3608	Chphoh32.exe	85
PID 1572 wrote to memory of 460	1572	Cpgqpe32.exe	86
PID 1572 wrote to memory of 460	1572	Cpgqpe32.exe	86
PID 1572 wrote to memory of 460	1572	Cpgqpe32.exe	86
PID 460 wrote to memory of 3284	460	Cedihl32.exe	87
PID 460 wrote to memory of 3284	460	Cedihl32.exe	87
PID 460 wrote to memory of 3284	460	Cedihl32.exe	87
PID 3284 wrote to memory of 2984	3284	Clnadfbp.exe	88
PID 3284 wrote to memory of 2984	3284	Clnadfbp.exe	88
PID 3284 wrote to memory of 2984	3284	Clnadfbp.exe	88
PID 2984 wrote to memory of 2340	2984	Cakjmm32.exe	89
PID 2984 wrote to memory of 2340	2984	Cakjmm32.exe	89
PID 2984 wrote to memory of 2340	2984	Cakjmm32.exe	89
PID 2340 wrote to memory of 4640	2340	Cibank32.exe	90
PID 2340 wrote to memory of 4640	2340	Cibank32.exe	90
PID 2340 wrote to memory of 4640	2340	Cibank32.exe	90
PID 4640 wrote to memory of 4616	4640	Cpljkdig.exe	91
PID 4640 wrote to memory of 4616	4640	Cpljkdig.exe	91
PID 4640 wrote to memory of 4616	4640	Cpljkdig.exe	91
PID 4616 wrote to memory of 1428	4616	Coojfa32.exe	92
PID 4616 wrote to memory of 1428	4616	Coojfa32.exe	92
PID 4616 wrote to memory of 1428	4616	Coojfa32.exe	92
PID 1428 wrote to memory of 2628	1428	Cidncj32.exe	93
PID 1428 wrote to memory of 2628	1428	Cidncj32.exe	93
PID 1428 wrote to memory of 2628	1428	Cidncj32.exe	93
PID 2628 wrote to memory of 2024	2628	Clckpf32.exe	94
PID 2628 wrote to memory of 2024	2628	Clckpf32.exe	94
PID 2628 wrote to memory of 2024	2628	Clckpf32.exe	94
PID 2024 wrote to memory of 3732	2024	Capchmmb.exe	95
PID 2024 wrote to memory of 3732	2024	Capchmmb.exe	95
PID 2024 wrote to memory of 3732	2024	Capchmmb.exe	95
PID 3732 wrote to memory of 3008	3732	Digkijmd.exe	96
PID 3732 wrote to memory of 3008	3732	Digkijmd.exe	96
PID 3732 wrote to memory of 3008	3732	Digkijmd.exe	96
PID 3008 wrote to memory of 4464	3008	Dpacfd32.exe	97
PID 3008 wrote to memory of 4464	3008	Dpacfd32.exe	97
PID 3008 wrote to memory of 4464	3008	Dpacfd32.exe	97
PID 4464 wrote to memory of 5100	4464	Dcopbp32.exe	99
PID 4464 wrote to memory of 5100	4464	Dcopbp32.exe	99
PID 4464 wrote to memory of 5100	4464	Dcopbp32.exe	99
PID 5100 wrote to memory of 4892	5100	Diihojkb.exe	100
PID 5100 wrote to memory of 4892	5100	Diihojkb.exe	100
PID 5100 wrote to memory of 4892	5100	Diihojkb.exe	100
PID 4892 wrote to memory of 4296	4892	Dhlhjf32.exe	101
PID 4892 wrote to memory of 4296	4892	Dhlhjf32.exe	101
PID 4892 wrote to memory of 4296	4892	Dhlhjf32.exe	101
PID 4296 wrote to memory of 2104	4296	Dpcpkc32.exe	102
PID 4296 wrote to memory of 2104	4296	Dpcpkc32.exe	102
PID 4296 wrote to memory of 2104	4296	Dpcpkc32.exe	102
PID 2104 wrote to memory of 4352	2104	Dofpgqji.exe	103
PID 2104 wrote to memory of 4352	2104	Dofpgqji.exe	103
PID 2104 wrote to memory of 4352	2104	Dofpgqji.exe	103
PID 4352 wrote to memory of 4852	4352	Djlddi32.exe	104
PID 4352 wrote to memory of 4852	4352	Djlddi32.exe	104
PID 4352 wrote to memory of 4852	4352	Djlddi32.exe	104
PID 4852 wrote to memory of 3944	4852	Dohmlp32.exe	105
PID 4852 wrote to memory of 3944	4852	Dohmlp32.exe	105
PID 4852 wrote to memory of 3944	4852	Dohmlp32.exe	105
PID 3944 wrote to memory of 3492	3944	Dagiil32.exe	106

C:\Users\Admin\AppData\Local\Temp\e8b48a38fee2cce4612e1f8b028932ab6f47fd7bc2e784e62fe55a5792b8b0b8.exe
"C:\Users\Admin\AppData\Local\Temp\e8b48a38fee2cce4612e1f8b028932ab6f47fd7bc2e784e62fe55a5792b8b0b8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\SysWOW64\Chphoh32.exe
  C:\Windows\system32\Chphoh32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\SysWOW64\Cpgqpe32.exe
    C:\Windows\system32\Cpgqpe32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\Cedihl32.exe
      C:\Windows\system32\Cedihl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:460
    - - C:\Windows\SysWOW64\Clnadfbp.exe
        
        C:\Windows\system32\Clnadfbp.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3284
      - C:\Windows\SysWOW64\Cakjmm32.exe
        
        C:\Windows\system32\Cakjmm32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Cibank32.exe
        
        C:\Windows\system32\Cibank32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Cpljkdig.exe
        
        C:\Windows\system32\Cpljkdig.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Dpcpkc32.exe
        
        C:\Windows\system32\Dpcpkc32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        23⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        24⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        26⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3952
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        28⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        29⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        31⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        34⤵
        Executes dropped EXE
        
        PID:492
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        38⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3584
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        42⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        43⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        44⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4952
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        46⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3408
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        52⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        53⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        54⤵
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        56⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        63⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        64⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        66⤵
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        67⤵
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        70⤵
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        72⤵
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        74⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        75⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        76⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        77⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        78⤵
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4244
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        80⤵
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4564
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:940
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        83⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        84⤵
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        86⤵
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3244
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5236
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        91⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        92⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5420
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        94⤵
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5620
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        102⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        104⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        106⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        107⤵
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        108⤵
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        109⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        111⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5660
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        114⤵
        Drops file in System32 directory
        
        PID:5756
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        115⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        117⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        118⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        120⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        122⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        123⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        124⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        125⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        126⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        127⤵
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        128⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        129⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        133⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5428
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        138⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        139⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        141⤵
        Drops file in System32 directory
        
        PID:6208
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        142⤵
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        144⤵
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        146⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6476
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6520
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6564
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        150⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        151⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        152⤵
        Modifies registry class
        
        PID:6692
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        153⤵
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        154⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        155⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        156⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6904
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        158⤵
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        159⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7088
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        162⤵
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        164⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6332
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        167⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        168⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        169⤵
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        170⤵
        Drops file in System32 directory
        
        PID:6704
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6776
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        172⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        173⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6996
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        175⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        176⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6236
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6460
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6624
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        180⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        181⤵
        Drops file in System32 directory
        
        PID:6844
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6932
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        183⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7120
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        186⤵
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        187⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6976
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        189⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        190⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 232
        191⤵
        Program crash
        
        PID:6328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6400 -ip 6400
1⤵
PID:7080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
96KB

MD5
3e6e32673019a9eb56258e307484decb

SHA1
87815aa4a885850435d3d1f5e5fe6c683cbe4a09

SHA256
45e63d7f84889c05508e2b786cf5e35aabb185a7e83f4a8378709d059f39e232

SHA512
39dc95ec089ab99bc133b50a8ea54761ea63e361ae7236b816d1df9df61d0f7e0fc3f9225837b28a83cfe812dff3f6de2ec2695d90091842a4db4857a1307b4e

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
96KB

MD5
9a7932bd9652d3a697386a40f2480ac7

SHA1
aac9318500cfd89fa60bdd1f9e1c72ab9dc8e458

SHA256
6334f0b4d8f78cc5caf6380fbe1341d239d94a3f6d3b0163f7e60942d5e48e09

SHA512
9608e230b87298499650540cf20f2fbcc3126614727669a389539aac063e38f2895225a464267d5761e238935daa0ad96af1f9b8b1936d4b9952a89bd57d0212

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
96KB

MD5
32a538c85663f449ebb5fcfc23c8fc2e

SHA1
c2a3000df59ab7e5780220d27b479f02fdd0b3dc

SHA256
273fe924975f931c6932823638d6311e5cc93d657f8d8b63d59f73497ec50657

SHA512
1332d2e6d09c3de10fc363e4217172407492789143d65d3f94b819cbf3f3a384af09a0652e3de0c870010a525d9302ee52de1a78ff948581ce2bb1dcdb805ac7

Download Submit
C:\Windows\SysWOW64\Chphoh32.exe

Filesize
96KB

MD5
ba77ee81e221d08892ed0549552ce7e1

SHA1
586d525830991045144d726985e333ea10740814

SHA256
c9bb4f1960d43f5a69f87a64e552879f13efe5e6657307ac388c4cad61c52210

SHA512
6f2e88a58f60e38d924db1fda526681ede847461ecc9adfd66f7c40a5461d91367998fe9101fc7c3fc7301b651b8cd7a1d59f328214d49cd80b223c11112bb8a

Download Submit
C:\Windows\SysWOW64\Cibank32.exe

Filesize
96KB

MD5
273940b5c033808eedfb3d417c2b348e

SHA1
c3093b8e57581f85d0c31c4535775e9ac8f55298

SHA256
1f653ca38a93d050772c5bf82b2e0d3522357a7d64f5e70ac3463754e5fd1d86

SHA512
36ac4d4405455b3acba9a6e97781d4250672140d191a39c3780991cda672a80c500e432856b1480e3e60a53a629b20e73b2a7de891f87a10cdc1d5c7420b4829

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
96KB

MD5
c5ff00d52353b174854d4cb98142cd03

SHA1
4909cfdb4095be87e08c01a3a8070d8f28904345

SHA256
d8b92565e42761d3748db878d6ac451c85d31be90ff9bdd99d205eb1c7e90e35

SHA512
8d4b241eef1f4b3d1851c5422829c2529ec4b46792804c1c201ca971e1a3fa4ffba47d41f8013af51874ca166123b44166cc8f16315096ce2fac0fe588237186

Download Submit
C:\Windows\SysWOW64\Clckpf32.exe

Filesize
96KB

MD5
da5f0d3acecf2d9886e3b4efe9e105ff

SHA1
a17931496922d9cff771f7a84f57fed57ea43816

SHA256
7a5d020ed1a5b4921caa27056abab868b1baf8f5c590756caff7a06f76f06cc1

SHA512
b75daa0687c4b0ac969e1e7d93ec70e9130ac958a050641a33e6aa5a80db7de4af86ece437ab74daccfb1b2895176384e94ab2079d77b954aebe5a8796abeaee

Download Submit
C:\Windows\SysWOW64\Clnadfbp.exe

Filesize
96KB

MD5
d4df26d512311f98cd47d4b40ae928fb

SHA1
63d109c10921d3baddbbe380e3bd1683d72e4739

SHA256
2c3fcc0f8121981fd552c5598a5e813b27cb1bd8123023bd0eff3b957c44081c

SHA512
290fd95a22b0dccbb4ee3635baebb225f265cdadeea39406eb83577d5951b0c28bc66069b063f03f20bda8da87399ad8cd508798b3d34a846bcf0eff8d54dceb

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
96KB

MD5
ee1b4faf4ff8cfa43bd9629e6bb4b9e1

SHA1
2d7531cfce85d3ed6b9634a5da1c6de41c34155b

SHA256
85faaf36f42fc0fe9cf81c703c5a9b06244be2f544594bc9bd324f847cf1cfbc

SHA512
4fcf5a31ec45fad71aed97126d1e179d17b179eba005ccd457aaf202283ffb28b38e4a9f57cb5923a5d7412d61f556ae54f01679e3566e4ae2251636072e0862

Download Submit
C:\Windows\SysWOW64\Cpgqpe32.exe

Filesize
96KB

MD5
853b5012e72427d3181ec48edb3513b9

SHA1
43e1360691b5ff3d139dc02e8106f3b81a70bb87

SHA256
d457e3f9fca142d885500613e845de77ab929619426eba11caa96482206bbfb7

SHA512
dca9f98873fd357c104340826099a7fd50d5456e8a9012588b1d7c14b78762a1b5288f5a9a586c1ce78f9e5e38382b8aa98ef85126e64f0ea5cf33c50c2b19f4

Download Submit
C:\Windows\SysWOW64\Cpljkdig.exe

Filesize
96KB

MD5
ba5342c30be44aee244c05b5a48ddffa

SHA1
a74619171dd05c898293b87dfb6baad40dd2d776

SHA256
dfe27f91529eae17e12c21029a4114e4fec4f877593c608fbf851bd9bed7a07e

SHA512
305a117b8aa49bb91efd957c6708cde1458080350d3a00faf13baf8a8cb75ee9f1cf6fccbaa6dc9c69c1a0c07f24b00d62d8a695d91a980c9c6f1ad1a61e8543

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
96KB

MD5
753cef5aeef693ec8f5ebd798cc29f89

SHA1
627540cacb83d4f0caaafc04de7ea16e3cbf199e

SHA256
0b1de45842c9c588aee372c18b74c28dd449e75e3b9b2739bb6383faf9686c9e

SHA512
3d493dbda07241537dfd70a0462bbad05d2d42cc127b6c7ea65e73de9d2b92d7718fbb53db17b26e98d33ddf774065cb9e1ce3d31128058508dff84004a351b3

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
96KB

MD5
2c7f1dc7cfb1a06dc229835bd874a355

SHA1
8a7db619cf04ddbbb3c38e7a01e80275224050ff

SHA256
c269acb67bba67fb3fb490f8a764a5b53098619bad8d80ebfc812454cbbf9aac

SHA512
e49b8315a6d7380c322ae81b69c8dbbb9fb6bf53635cb8d2f18c1ba67b996a7f08896c84b06af11fa3d05872056e7238dfb10a40da0ed844b3b83a3e697547c0

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
96KB

MD5
0b78f26bd951266586acab53a88eff06

SHA1
9e8ab509732a8d551f81fb7a722e73b25db9e5ba

SHA256
03cec81adb14ca97a35153f7f2be149ebf073152132f752cd5367f135aed190f

SHA512
3ef54663cebee71fe61f205f96497eae53324f00343bcb97db362e1436de0fb663f07d669ad502f887b2a48eeaf48249ed1546ab12d1240d5368144d5f95e1cd

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
96KB

MD5
bd5cbc55a2ace6e5185d556ff018c12d

SHA1
db929cbcb2b1b843a3ad4b8f8039390c2887f3eb

SHA256
06e69b23f6656aa981fbd4f7751021044b2f2b232a6a1a417e9ebe09597f0db5

SHA512
cb78f67e5334a78b7eeb9bf720b8d570de8870295a0b5e65b0c6f82c22be69e34cd647988d67be2900a8cf724f5f61eff06f309d2c63cd77b19c414989541dd0

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
96KB

MD5
ca14ada83763a47d6d5d6c9ed8cb79e9

SHA1
6ad16abdec72c801c5984dec5ab2fd153e87cd7a

SHA256
6da2db7dd268cbc1d8942e65a20bd0e603e61146014028e29577eaf785588710

SHA512
835c445bab51eba3cec3400ccf8f32fa5c40c6f6d197aad7447a724033ec895990fa91659916223cf4c3899f72b99a9e0963ff571d995885256fe44b7c443b30

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
96KB

MD5
0e096b03fd4ac87b89b6cb34635bda96

SHA1
dd06c31e45aa8187318db8ea2660fa2f3c306589

SHA256
cd6981c7d9578b2227a15bbe4f3190eb7d25cc9edb13140958012922f860c87b

SHA512
dc3bdd4559ec329f3f6f1d9988732eee3306cc4d0abf0e24b4dc414d49ef2f11e4962f7f0b96e68f4434ff24cfdfe121a79d2fea4fde68ba2f04bf07095eda3d

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
96KB

MD5
6a4a7485a1b71ce7e9dbe79d4c54999d

SHA1
95616087fd5327240a39420c530ca188afefb6e0

SHA256
556f6b86cf8be18cf7d579fde638024d295dc42fae80951e0f42baf0e00afbca

SHA512
71b0da092b657f781e9bb47cfebf34bb1c83ca4448e97d2cb4f5ce33f39080a1edc8f31bb3d9805ccd9ef2b2cafaab9a46d85b81f0c332da9643fa47f3bc4994

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
96KB

MD5
8e760214fcfaa81a279732fb9d69c37f

SHA1
4a8f3670ea4d9ae6e2b1381324cc7d71c481e3ad

SHA256
7d1b4e2c5ec8ae84ecd4375cbc6f029d63d85b12e0f50a803e4e6c75abe39a67

SHA512
8133bc990376114f365f30193218fd58eb6cb80a72471acac23f0c4706abfb7aaa095500d37ca3b03ee9691915e44803b74db775fc51ae05abf7e477e3210dc1

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
96KB

MD5
107c24f6feeca443282fbe6ac6dee433

SHA1
8c04232126eef1716065978006db306958bb648a

SHA256
d3ef7edd3d2e25aa8ecb4df654de800fe50592ce7457816eb63625d545723305

SHA512
f86372303f2d7de7f19db4ddffab122f06e139de79da79416d3b4c72107881abc2ee5858c352960694155133b6b916b90940f2f068a5154d6c64bc5aef91d8c8

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
96KB

MD5
622bb763054e4b28cb11771df458a259

SHA1
ffbed2fee71d87c76d403011dd001b6cf3fa0bd6

SHA256
1e905a8d7c73caccdc56f689d937d2921586b49c5ebd51118f139b7fe0442009

SHA512
10e80120c70f8696d29ccb41623435bb35732ed48cf0891189d720c34b9c05fcaa5209f9273c50743e454d34d967fcf6186f829f0ad3d96f0ad648062301a207

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
96KB

MD5
0536836480c00dccdfef615250a8aaab

SHA1
306613432a8c2afd569398b4b779e43b8e16e0cf

SHA256
28a03877f0c2ac2fe97bb8da330517014a609bd9337b261d84806e4a91a6685b

SHA512
b731eb0fb4c82eaa1f15d96eefa8890e7033beca8008550112572cea1407878f80b9e5e968b79133562ec215496a309743828e95e2dcf722a28124eceec7e89d

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
96KB

MD5
338a513f5794545e731dbc9b18d508d3

SHA1
f577f62e40b8bcea497af291fa210696ec057c15

SHA256
130505b0350631abc4985a1c635bf9ac36017eedb46c1974fe7d14f1098c43e5

SHA512
e9460e818b30aed2945fc5d84b369190fa95036162c0dc560352b1d9ad07645030913d1f94444ceb8dcd1de6db8c9e574deb0282f63abb7fb3d5ae561d2c7ed4

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
96KB

MD5
7a477fc3dfe45a180d5c3a0be99377ec

SHA1
52b185a8523b4da33ae7802c449525ae4c448e9e

SHA256
c1c346b2222727a5cf134928f6408ce202f0d9ac489ae9646bbe3487cbe01b0c

SHA512
576e4324a0fea6eceb95f575530652bc452338399f6df6978b86575af5cdcea415f2395d54b643bbdd40347e7932b51958ac80512e6d1aa304e5e914f78c031b

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
96KB

MD5
340006c778e623e669ffca1cf46d9558

SHA1
bea8eba853c775f36947a3665b71f72854875b21

SHA256
4430bdd0fc30f94b5ccafc09a76c0850fa2105dd6a2d090869bd2611363ff066

SHA512
32b6acbb17a7a2c8dc896ee4f63493ea6e75aa9f935e181c4d676e976b65cad72fc7f75d8cc0e4a8863e650422f4baa61119697cf124582c3030e1d9bf8860e3

Download Submit
C:\Windows\SysWOW64\Dpcpkc32.exe

Filesize
96KB

MD5
66fcc2830e43c50e4d345ac01e477aec

SHA1
a81945def3563ae9b8a7396bba3d5fc26b1481c6

SHA256
214bf11f654c3213f84038e6d9648be1733da7ed57a924d8d825d809fb5db559

SHA512
95623eba4f8f53dc95e26c529bda7421fc6ab4b6d9007adbd7d93d725de7153a8484a54a2b10b5b9783cfdbda40e4a52e91305da6423cf709a2e0b40c8a16483

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
96KB

MD5
262c1c60d3327f99f3ed61dc493e1f74

SHA1
f3c5a73c2bdac480536c721dae97df51d824d29b

SHA256
36c5c9f6773fd5a011b38a6a65f25cc70fdf1af862a37961434c6cd81049bf8f

SHA512
e074a25e53639d38cba6bafca0690da5ed3ea8fcdc439b5e5173eb2ab0b54b5fb45fb27c4666a9db7336ebda2c4040eb2525e323c2afd67c7ac60eea08c3168d

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
96KB

MD5
09b8f0fb3aba78c01fb00c2b86371d27

SHA1
388fbb5d492e2739bea956e7628047f5b0feec15

SHA256
7ccb90a98064b7064078d2d442ca138228ac3e2e102de49b00eecf057e253204

SHA512
bb86ca78be76c707a9862d42d3d3b240dc7e17e755a4b481248d035032d709b3b5eec88d532ce6771300b6cd136ebd430b1a8aa75cb49ec285c52904700a47de

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
96KB

MD5
bbcddd716ac987eff2676f9b0550894c

SHA1
7c080759e205e08cad005cc18956738bec3b56cd

SHA256
1fb41c5064323d77bf913d0306c15492f601af129d6dea436ab6236466f8ab83

SHA512
70e13b5234a9e630da3187f5a6833a9079c4a8e131bea6dda3b7f212b09e8fbe0fdab2126776d4f036b174672527fb8def13b17d19f5468ae9af86c150e5b577

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
96KB

MD5
3582d8531f67772dbe7dd8318b134fda

SHA1
6fe88b8b31426ca49162f7ec5bbcd5172617ad6f

SHA256
19440280832619f70c18764af8cabef9e26ef4a0fd6b5ccb134876d83cb41c2f

SHA512
6fcbd8a099028ea7f6675106b1ec93c3437eefc357972de99919e7293c53cf9c50092ef35f11dde20a9fb3dc3d6befd5597cf4bc062020443e80c8ef50db6a03

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
96KB

MD5
7cedce4219a4179cd5a745bbd0ec2219

SHA1
9ce50406df52aad468f2da621ad1976db436af5b

SHA256
3d8156e3bfe22d8d108dba2c30129fb68064fc59da67cc270397a1a4fe6954f6

SHA512
18618adefca4ad576f6044ce4773a5d396622b2212b4ebbd4c23984cbd2e6f99701e4a2cc77433b2455ec93dc4a06a4269c1507bddeabd70f1f207df1a688db7

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
96KB

MD5
89971424ec24aa4dbdd7c39406ee2b3b

SHA1
61923eebb65f0a0a9d50c6deafbdeee98f5ae758

SHA256
d63afc71ed3e9161136a13ff0a84f4e6a3fb9dab988d0accba891b05bf5e95f8

SHA512
1f20d8f29d1c8badaa40d99545c86a16b32bea3524b03836e2e69a76b054b2d971901016787baa9d00f144de2d0dda27d996c8d776e48c7f6204d9ff5bfd0d13

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
96KB

MD5
bf4e45286dfd5cd8f7e5460e35bf82da

SHA1
b0b83ac9a4b74f3d68549cd3b4c8f6be384f82d5

SHA256
5cc65095878ab0e573d13977b2db94a3b4881be5f9f32c41a38e972b2834c9e1

SHA512
b48ba2553020e3b00809aa807e5282248dc73f4c62fc685e00dc89cfbd5c0a483ea0d16a2fd2b9b26fa49fde2cbcc56561621cf02bb2ad88dbd660fd7c3a6860

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
96KB

MD5
fb0d0f115de3d05f53de190f434d4414

SHA1
ce69193b81d94f759ece009309a333ae07dae6ce

SHA256
339d3fd9121ab1b5906fe7d835059ff0f7e37bc3051aa9dc93a3ab84cc7f6dd2

SHA512
b5534745503605160ae55f37e7330e7d620353b9e14e7a10a314e28deba2b79b460e2e3e937e833bf6e81c653ba0de58f9c9e27130e9f5dc598460b36ed91a5b

Download Submit
C:\Windows\SysWOW64\Gkebcqkl.dll

Filesize
7KB

MD5
0a740a4482318633b486ac019e7d67c4

SHA1
7f2bd54b8fe108acdad3c93a3f0cbe945374a0d6

SHA256
71ae04598ea40b45905c14ff6505e6a282ccc9c2a3f1fa8a4eb3971e182026a8

SHA512
9a549c0e8bcf84884c92d06fe93b3fb88802ceb38aa1316670ad2f2000d296722936c7ba3a8906c3e2db0c58d75de904303b1e808fda33587ee4998994a62fe1

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
96KB

MD5
4720163ccb0a934596a09b72278cff51

SHA1
d3fb9103568ddd5771db2fcd87707841a3376c5c

SHA256
03be30f7eb8d6de579510403af744890f20480a37b9e26dce305cb6cccaa044c

SHA512
3f15319653c33e74ac3707932a3729bfcd852f64afcf15c590fc87faf68325368eee3eda0e52a1a552e4a4c6cfd3654e69be72da815d27f50ad6f8acd5ce4fef

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
96KB

MD5
1659a7497513ed7c2a53948031447978

SHA1
dc07eb4d550402fe549ca2a7d054a7c66e57d89b

SHA256
be8e2eb8b6ae747e0f6440a12ad98a76ace8c75ff0edcbc2d15a352ac84d758e

SHA512
db555df0d9d23fd61382b08ff9285dbb2c80b04c199f0b61cfaf292661f1b49662f4192ff944f6a0e8c5caffdea1d3e748d4a57d5f058101185681db62544352

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
96KB

MD5
4fb69c9f1af22546edfd87666a573aa4

SHA1
01e5e493788cd04193a35ae0412c5f9a51eb8ddb

SHA256
eb168d94140d90f5de2a0fac6b6f0847d34e484f0383f4b8d5b042432d72979a

SHA512
086b3bb63ca381478a08a789f7d9d626942e7189f3523d6d6eb141d8ead20f3b065b384e57a8a7c19bd3ac1b46403cc98fcd829f44941ed559902bc36ba35ad2

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
96KB

MD5
1a70c4f572a09b8becba2b2de0152618

SHA1
5376644e1ee16d2631ee3bc086e6193f96670efa

SHA256
8eedde06eff87d826b0ac509546842dc5ffaa5a672a9ff440f8cd0b698955169

SHA512
42226c013d8227c4d1d02a5dc3118279c162b063c6f108f3a0f5f5aacf56bc27a6815e93064eec893c4a7a06e5d41f22f4d297a30f8f60ff061f20b03c51b8b2

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
96KB

MD5
4ff76e98cfea6afc940dce3646d94464

SHA1
91444b7363fa8ac8ce748296ed97b3d71b68af40

SHA256
962dc8a7c8033afddb1a60b11cba931fc6882f4faae4c93781e112b6eda7d827

SHA512
ed8eac82226f53b1067dcc9fa6f8bbe95da0e2be37925e30aab5e9861dbad195403b00307d1df221fc2d82469d3de3efa9a862ed5253c31e8b3042a1d640f0f3

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
96KB

MD5
12ccca9e7335dc828cc5b618c7825fd6

SHA1
1069073df977f4cb1ecc3c72007e851e88a41bc1

SHA256
3622eb1f983afedff567da32f66f1581992fe1dccbcc375863d55f55579707ae

SHA512
46094ac98c57c29f3dc3ae5705376122eaa8d0521170ae5db1ffeb0fb4465b3f0b6d5e07d359a345afa0f2ba6721afdb3ce7859ba28b6aae8d3c7547cc1f36cf

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
96KB

MD5
890f39d59e87de619c1b76dd3d3ec0f1

SHA1
9f2e9354e43279822e27489d60300c83eb14bef1

SHA256
1abadd1dbfa092728865169aaa8318df8c148f25542e655288f711b79102557a

SHA512
7b9af3017147ff4aa9f3d041c6f9188438277a5656dc8b6117f31856a4265e4b929bccb243d2a7197d420df20df0175897eab458ee5288b267642859273bd7cf

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
96KB

MD5
24f0fcd91d0b5b56d0c64b3ac4b1c68c

SHA1
65312d3c9f80c16ec8bef81b3297ee58198fc180

SHA256
8173fa2e8e6b77684a66d31a22eb8f8cbb9b9daabba7d28b3d1c4f5e8b1991af

SHA512
5bc6fa90cadb4540d0e87a847007dc1d35a7e8854ea07802ab239d55a98d967bf866ac8cee089c360b121639b2b08016a4a1446e46627a784e82749404b4112c

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
64KB

MD5
4acbdba3c3e510e77cbb9b5e6634145a

SHA1
d683b572290bcd3c00de0a1d293758e931c8b851

SHA256
970804dcea0f7b5a7784d37776d4ad164dab94d4297d91437df30cdd980829b8

SHA512
10a8626ca25ac5e4875009c331eb4cc5f232b764f9e495e577ffd2d0db24a8abe0c7825450b3b938163ce6f5e0e88473efdf76d7b3c0fdb83002e93b8f76896a

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
96KB

MD5
31b6c0bbe8fbc7d1895a7409b743a8fc

SHA1
87f5d4438d752853e2408572e6448f6be9fa13f0

SHA256
3a0c8dc80c098414bbc80a1b8ca7d954654f227ddff608339ab8fb00b89b0143

SHA512
2a22c0c7728e649f7d512f1b3f855367ee1c96241b7d7fdce7b7a8465a12d63192b928d1f20a545361a932d40276d05841b8fa047b8186cadd2699228ac2ba9f

Download Submit
memory/116-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/380-346-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/460-565-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/460-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/492-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/532-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/548-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/648-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/652-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/940-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1040-494-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1084-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1100-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1428-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1540-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1572-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1572-563-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2024-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2124-472-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2204-370-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2340-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2340-48-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2504-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2512-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2528-566-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2576-358-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2628-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2732-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2764-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2876-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2920-482-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2992-507-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3008-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3092-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3108-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3132-513-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3136-564-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3176-501-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3220-427-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3244-587-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3284-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3284-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3408-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3432-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3492-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3504-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3556-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3584-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3588-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3608-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3608-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3732-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3888-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3892-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3944-172-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3952-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4016-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4016-548-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4112-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4128-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4136-518-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4140-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4144-352-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-532-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4296-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4312-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4340-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4352-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4360-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4384-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4444-344-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4448-525-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4464-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4504-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4520-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4564-550-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4576-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4616-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4636-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4640-593-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4640-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4764-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4852-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4856-470-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4892-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4944-580-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4952-328-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4972-450-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5016-422-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5052-577-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5100-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5128-594-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads