298b74fe4c36ab4d1f5d611d1ba0f64d230bf9f5fc74468dfafb2be88bfebd0d

Analysis

max time kernel
94s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

298b74fe4c36ab4d1f5d611d1ba0f64d230bf9f5fc74468dfafb2be88bfebd0d.exe
Size

402KB
MD5

2b9170b22f8a9f3d27e90bd0b6695b4d
SHA1

7ebebae54477307ba565ee0f35a3e65a4ffb8c50
SHA256

298b74fe4c36ab4d1f5d611d1ba0f64d230bf9f5fc74468dfafb2be88bfebd0d
SHA512

23670f1c4ae3650b5e258a9dc9488ad58aba815789c7b765362c7f64d618987c52c1817a16db8755d460bada92e71e8e35fea08810b9009ec2935fb6621637cf
SSDEEP

6144:sKKtEsabWDwau93ay9rbLPvTpN0xHuwdkAj51VezfHZ3neNZpGkXo+TCCYOs5PHw:snaRCDwauRayJU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceibclgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dephckaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dohmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cekohk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Digkijmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djlddi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcalgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dagiil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Camfbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eodlho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coojfa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhjkdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpemacql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djpnohej.exe

Executes dropped EXE 64 IoCs

pid	Process
4976	Cakjmm32.exe
4420	Chebighd.exe
1848	Cpljkdig.exe
4808	Coojfa32.exe
2864	Camfbm32.exe
2836	Ceibclgn.exe
2892	Cidncj32.exe
2224	Clckpf32.exe
5088	Cpofpdgd.exe
1432	Coagla32.exe
3728	Ccmclp32.exe
2496	Cekohk32.exe
1408	Digkijmd.exe
4700	Dhjkdg32.exe
3156	Dpacfd32.exe
3360	Doccaall.exe
3684	Dcopbp32.exe
4196	Denlnk32.exe
1216	Diihojkb.exe
3276	Dhlhjf32.exe
1880	Dlgdkeje.exe
4124	Dofpgqji.exe
4584	Dcalgo32.exe
100	Dephckaf.exe
400	Djlddi32.exe
4844	Dljqpd32.exe
1076	Dpemacql.exe
4076	Dohmlp32.exe
2936	Dcdimopp.exe
4292	Dagiil32.exe
3596	Debeijoc.exe
1520	Djnaji32.exe
3680	Dllmfd32.exe
456	Dphifcoi.exe
2380	Daifnk32.exe
996	Dfdbojmq.exe
3412	Djpnohej.exe
708	Dhcnke32.exe
4276	Dpjflb32.exe
1900	Domfgpca.exe
468	Dchbhn32.exe
1260	Efgodj32.exe
4716	Ejbkehcg.exe
2068	Ehekqe32.exe
2008	Elagacbk.exe
4012	Epmcab32.exe
2276	Eoocmoao.exe
624	Ebnoikqb.exe
2288	Efikji32.exe
4236	Ejegjh32.exe
3516	Ehhgfdho.exe
4820	Elccfc32.exe
3692	Eoapbo32.exe
432	Ecmlcmhe.exe
1940	Ebploj32.exe
3428	Eflhoigi.exe
2488	Ejgdpg32.exe
2992	Eleplc32.exe
1180	Eqalmafo.exe
4708	Eodlho32.exe
3316	Ebbidj32.exe
4580	Efneehef.exe
4372	Ehlaaddj.exe
4824	Elhmablc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Fifdgblo.exe
File opened for modification	C:\Windows\SysWOW64\Fifdgblo.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Kojeoiop.dll	Dpemacql.exe
File created	C:\Windows\SysWOW64\Kpmkpqcp.dll	Daifnk32.exe
File opened for modification	C:\Windows\SysWOW64\Ecbenm32.exe	Eqciba32.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Fopldmcl.exe
File opened for modification	C:\Windows\SysWOW64\Denlnk32.exe	Dcopbp32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Ohcepmcb.dll	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Lbdcekmm.dll	Ffbnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ipckgh32.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Hkccjejn.dll	Chebighd.exe
File created	C:\Windows\SysWOW64\Mbfppi32.dll	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Jfjdddho.dll	Dfdbojmq.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Domfgpca.exe	Dpjflb32.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Dpacfd32.exe	Dhjkdg32.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Dcdimopp.exe	Dohmlp32.exe
File opened for modification	C:\Windows\SysWOW64\Fmocba32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Coojfa32.exe	Cpljkdig.exe
File created	C:\Windows\SysWOW64\Emjjgbjp.exe	Ehonfc32.exe
File opened for modification	C:\Windows\SysWOW64\Debeijoc.exe	Dagiil32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Khkchobp.dll	Cakjmm32.exe
File created	C:\Windows\SysWOW64\Fllceb32.dll	Djlddi32.exe
File created	C:\Windows\SysWOW64\Bdhngp32.dll	Dcdimopp.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hfdcbdnc.dll	Eflhoigi.exe
File opened for modification	C:\Windows\SysWOW64\Icljbg32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Iiibkn32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ppgjkamf.dll	Emjjgbjp.exe
File opened for modification	C:\Windows\SysWOW64\Fokbim32.exe	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Dhcnke32.exe	Djpnohej.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Djnaji32.exe	Debeijoc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6620	6500	WerFault.exe	254

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chebighd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dofpgqji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll"	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Denlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampkqqjm.dll"	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmeac32.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpacfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmljla32.dll"	Camfbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbpag32.dll"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daifnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkfba32.dll"	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfppi32.dll"	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkccjejn.dll"	Chebighd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eoocmoao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ebnoikqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djlddi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dohmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oijnep32.dll"	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbpcko.dll"	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jidbflcj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 4976	1244	298b74fe4c36ab4d1f5d611d1ba0f64d230bf9f5fc74468dfafb2be88bfebd0d.exe	83
PID 1244 wrote to memory of 4976	1244	298b74fe4c36ab4d1f5d611d1ba0f64d230bf9f5fc74468dfafb2be88bfebd0d.exe	83
PID 1244 wrote to memory of 4976	1244	298b74fe4c36ab4d1f5d611d1ba0f64d230bf9f5fc74468dfafb2be88bfebd0d.exe	83
PID 4976 wrote to memory of 4420	4976	Cakjmm32.exe	84
PID 4976 wrote to memory of 4420	4976	Cakjmm32.exe	84
PID 4976 wrote to memory of 4420	4976	Cakjmm32.exe	84
PID 4420 wrote to memory of 1848	4420	Chebighd.exe	85
PID 4420 wrote to memory of 1848	4420	Chebighd.exe	85
PID 4420 wrote to memory of 1848	4420	Chebighd.exe	85
PID 1848 wrote to memory of 4808	1848	Cpljkdig.exe	86
PID 1848 wrote to memory of 4808	1848	Cpljkdig.exe	86
PID 1848 wrote to memory of 4808	1848	Cpljkdig.exe	86
PID 4808 wrote to memory of 2864	4808	Coojfa32.exe	87
PID 4808 wrote to memory of 2864	4808	Coojfa32.exe	87
PID 4808 wrote to memory of 2864	4808	Coojfa32.exe	87
PID 2864 wrote to memory of 2836	2864	Camfbm32.exe	88
PID 2864 wrote to memory of 2836	2864	Camfbm32.exe	88
PID 2864 wrote to memory of 2836	2864	Camfbm32.exe	88
PID 2836 wrote to memory of 2892	2836	Ceibclgn.exe	89
PID 2836 wrote to memory of 2892	2836	Ceibclgn.exe	89
PID 2836 wrote to memory of 2892	2836	Ceibclgn.exe	89
PID 2892 wrote to memory of 2224	2892	Cidncj32.exe	90
PID 2892 wrote to memory of 2224	2892	Cidncj32.exe	90
PID 2892 wrote to memory of 2224	2892	Cidncj32.exe	90
PID 2224 wrote to memory of 5088	2224	Clckpf32.exe	91
PID 2224 wrote to memory of 5088	2224	Clckpf32.exe	91
PID 2224 wrote to memory of 5088	2224	Clckpf32.exe	91
PID 5088 wrote to memory of 1432	5088	Cpofpdgd.exe	92
PID 5088 wrote to memory of 1432	5088	Cpofpdgd.exe	92
PID 5088 wrote to memory of 1432	5088	Cpofpdgd.exe	92
PID 1432 wrote to memory of 3728	1432	Coagla32.exe	93
PID 1432 wrote to memory of 3728	1432	Coagla32.exe	93
PID 1432 wrote to memory of 3728	1432	Coagla32.exe	93
PID 3728 wrote to memory of 2496	3728	Ccmclp32.exe	94
PID 3728 wrote to memory of 2496	3728	Ccmclp32.exe	94
PID 3728 wrote to memory of 2496	3728	Ccmclp32.exe	94
PID 2496 wrote to memory of 1408	2496	Cekohk32.exe	95
PID 2496 wrote to memory of 1408	2496	Cekohk32.exe	95
PID 2496 wrote to memory of 1408	2496	Cekohk32.exe	95
PID 1408 wrote to memory of 4700	1408	Digkijmd.exe	96
PID 1408 wrote to memory of 4700	1408	Digkijmd.exe	96
PID 1408 wrote to memory of 4700	1408	Digkijmd.exe	96
PID 4700 wrote to memory of 3156	4700	Dhjkdg32.exe	97
PID 4700 wrote to memory of 3156	4700	Dhjkdg32.exe	97
PID 4700 wrote to memory of 3156	4700	Dhjkdg32.exe	97
PID 3156 wrote to memory of 3360	3156	Dpacfd32.exe	98
PID 3156 wrote to memory of 3360	3156	Dpacfd32.exe	98
PID 3156 wrote to memory of 3360	3156	Dpacfd32.exe	98
PID 3360 wrote to memory of 3684	3360	Doccaall.exe	99
PID 3360 wrote to memory of 3684	3360	Doccaall.exe	99
PID 3360 wrote to memory of 3684	3360	Doccaall.exe	99
PID 3684 wrote to memory of 4196	3684	Dcopbp32.exe	100
PID 3684 wrote to memory of 4196	3684	Dcopbp32.exe	100
PID 3684 wrote to memory of 4196	3684	Dcopbp32.exe	100
PID 4196 wrote to memory of 1216	4196	Denlnk32.exe	101
PID 4196 wrote to memory of 1216	4196	Denlnk32.exe	101
PID 4196 wrote to memory of 1216	4196	Denlnk32.exe	101
PID 1216 wrote to memory of 3276	1216	Diihojkb.exe	102
PID 1216 wrote to memory of 3276	1216	Diihojkb.exe	102
PID 1216 wrote to memory of 3276	1216	Diihojkb.exe	102
PID 3276 wrote to memory of 1880	3276	Dhlhjf32.exe	103
PID 3276 wrote to memory of 1880	3276	Dhlhjf32.exe	103
PID 3276 wrote to memory of 1880	3276	Dhlhjf32.exe	103
PID 1880 wrote to memory of 4124	1880	Dlgdkeje.exe	104

C:\Users\Admin\AppData\Local\Temp\298b74fe4c36ab4d1f5d611d1ba0f64d230bf9f5fc74468dfafb2be88bfebd0d.exe
"C:\Users\Admin\AppData\Local\Temp\298b74fe4c36ab4d1f5d611d1ba0f64d230bf9f5fc74468dfafb2be88bfebd0d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\Cakjmm32.exe
  C:\Windows\system32\Cakjmm32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\Chebighd.exe
    C:\Windows\system32\Chebighd.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\SysWOW64\Cpljkdig.exe
      C:\Windows\system32\Cpljkdig.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1848
    - - C:\Windows\SysWOW64\Coojfa32.exe
        
        C:\Windows\system32\Coojfa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
      - C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Ceibclgn.exe
        
        C:\Windows\system32\Ceibclgn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Cidncj32.exe
        
        C:\Windows\system32\Cidncj32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Ccmclp32.exe
        
        C:\Windows\system32\Ccmclp32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Cekohk32.exe
        
        C:\Windows\system32\Cekohk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Digkijmd.exe
        
        C:\Windows\system32\Digkijmd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Dhjkdg32.exe
        
        C:\Windows\system32\Dhjkdg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\SysWOW64\Dpacfd32.exe
        
        C:\Windows\system32\Dpacfd32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Dcopbp32.exe
        
        C:\Windows\system32\Dcopbp32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Denlnk32.exe
        
        C:\Windows\system32\Denlnk32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Diihojkb.exe
        
        C:\Windows\system32\Diihojkb.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Dlgdkeje.exe
        
        C:\Windows\system32\Dlgdkeje.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Dcalgo32.exe
        
        C:\Windows\system32\Dcalgo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Dephckaf.exe
        
        C:\Windows\system32\Dephckaf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:100
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\Dljqpd32.exe
        
        C:\Windows\system32\Dljqpd32.exe
        27⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Dpemacql.exe
        
        C:\Windows\system32\Dpemacql.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\Dcdimopp.exe
        
        C:\Windows\system32\Dcdimopp.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3596
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        33⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        34⤵
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        35⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:996
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        42⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        44⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        47⤵
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        52⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        53⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        54⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:432
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        58⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4372
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        65⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        66⤵
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        67⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        68⤵
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        69⤵
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:920
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        72⤵
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        74⤵
        Drops file in System32 directory
        
        PID:2820
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        76⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4692
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        81⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5108
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        83⤵
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        84⤵
        Drops file in System32 directory
        
        PID:1660
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        86⤵
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        88⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        89⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2244
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        91⤵
        
        PID:976
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        93⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        94⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        96⤵
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        97⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        98⤵
        Drops file in System32 directory
        
        PID:4816
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        99⤵
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        101⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2532
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3344
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        107⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        108⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        110⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        111⤵
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        115⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        116⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5752
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        118⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        120⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        122⤵
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6048
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        126⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        127⤵
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        128⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        130⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        131⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        136⤵
        Drops file in System32 directory
        
        PID:5800
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        137⤵
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        138⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        139⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        141⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        142⤵
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        143⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        145⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        146⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        147⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        148⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        150⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        153⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        154⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        155⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        157⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        159⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        165⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6336
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6380
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        169⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        170⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6500 -s 412
        171⤵
        Program crash
        
        PID:6620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6500 -ip 6500
1⤵
PID:6568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cakjmm32.exe

Filesize
402KB

MD5
4b34c43a54f6f44e9a5365b19eaa2657

SHA1
a510c722ee284759135b2793bd8bd2da6d9833b1

SHA256
94e01897cff354c342e8093481209835eade9a515d87bf50bf691fd902ceeb93

SHA512
5477d9ad0c44346ac68bf348382c59a6dd1b845dfc580cd3c0942729816caeba92e1d2983d985f46bd74d4307f135fd5b028ba981a5dca3f4c495e2deec82702

Download Submit
C:\Windows\SysWOW64\Camfbm32.exe

Filesize
402KB

MD5
bca332bf8ed7d6dce45f7fcd1467579c

SHA1
c35824d1b8aac07164b195aa74644e883b0ee70b

SHA256
cdf24a8e46c1a9ad9162571d9caf191643c84e0ba7e236e51be3c7afd5780467

SHA512
51016906df3814771069b2a47cb53a3492eace5b7b2df6a545f778a8dfcbb7349c137460ac995d457915774db814fa5c88273c9a441c8fc8d8dd0757c01163e8

Download Submit
C:\Windows\SysWOW64\Ccmclp32.exe

Filesize
402KB

MD5
992d89cb4e20275856cc83b4ab4b5690

SHA1
0d34c3b97cf1cd364af831af545d38579f100f04

SHA256
5ae9b7804e031c1a4cc5f2e2d9c1cb9757d0db865992dd06d7dd8d700e91ac02

SHA512
fbbf1479ac48b0b5106ae3eefa325f283f53ab17eec48c7f2c2613ad4f4ff8484bfae9118fb250b23e1cdcc53cfd935137ed4739e4346d65fb097a633c23a1dd

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
402KB

MD5
72f108ccff06aa1973b56c2986d84cd3

SHA1
6bd5b6416c8b775868db7f91d2a7d898850b15cd

SHA256
f0787cf3f114871daa7416e6d600c0d4df85a99b01495e7a0f75ee5c096f130a

SHA512
16d03af7df47ec09bb13cc5a372e7630201c5ec08b84f9bfa3afd851332f46c9afbd61032deee627aa50f232fed4c549b975da320e9791895718e89eec0e626a

Download Submit
C:\Windows\SysWOW64\Cekohk32.exe

Filesize
402KB

MD5
6005917d602131a48784a0378ff0e39a

SHA1
89344d0ccf4d8779bd1abea46dba40bf8961ee90

SHA256
fc96093f2ff22f4a5e4921101858932b73d2e8240e7a4d0b2ea616e130ef36e9

SHA512
ab0b46cdb37159889f249b2e35f52cf3b2913a5f76a2e42966dc424b7ad84a4d9619ba717a560a28725cb0a2cb859995985c8f3123d1e5804c783c0984615d8c

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
402KB

MD5
5baf4722af2fa692e7cdee98e1a10308

SHA1
81b75767aa0b434bcf233ea0c985d3534beb2c8d

SHA256
3ec51bbeb26be70976d61077ffdb40e708a07e71611792bfc9cd769c1ba08c5e

SHA512
614829a1a8c446969ecde9df61195f55ed547d342b0a493844d40cb6c66ace72e6e7ce2b5630ec706a81679467bf756797ca13429815a5f3ed6891af43e9642b

Download Submit
C:\Windows\SysWOW64\Cidncj32.exe

Filesize
402KB

MD5
5896dfee5f0a0a8f40358614291b0f78

SHA1
7ee4a53821896d932aad99010275d47cd8ff34e9

SHA256
5a567d70ce3a2be7932de85b193332d62340544b8a8a651f089194e948a2a153

SHA512
5066cfdb38da2d42ede2d3e928e1f8a35e03764a23ae04f80854ff3502160c5e15b3bb939134256fb8d42b7410ad510dbc33cbacdd0910a3c613a89c94cee1ce

Download Submit
C:\Windows\SysWOW64\Clckpf32.exe

Filesize
402KB

MD5
f798ee6829524836ebe20a0d470fb708

SHA1
e21944129d5908970d3c1159a0c13d3e956974e5

SHA256
aa7a5811e6cb31363ea5372e30c34e2566fa939fbb25c830701324e94b825b24

SHA512
b23e67de9d235be966998147c661626a8f54f25485ae13bf4b8dc201693b507c8bd0f4058b87414a44650f61449fcd0fad7b76010fa511d49742e7fb22282381

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
402KB

MD5
a14a7f834568b1698ffae68257d0504d

SHA1
01464258d632c893292c200772603737007d6802

SHA256
c2986554278c54fcf7f4411bd060bbc0d40675bee8ca33fbec6fea7abbc0fe74

SHA512
06fe321487a2c95e6a42bd167c4e63a92a76f18a3783f79ebd7b34d182bf3fcfebeb9fb51556d7eb9c0dff733762dbfc104a51643c0307d15a87f6ad9dc8d75d

Download Submit
C:\Windows\SysWOW64\Coojfa32.exe

Filesize
402KB

MD5
3dfef06578ed258822882a48032dd74f

SHA1
3809489f22bd87609c5c06e002bfc5f053659a59

SHA256
69e36c8e1ab7ea3da65c135a851147651f2fefa5c1e0a8be1030299fafe8bd42

SHA512
1e1a8996bb225b44d8ed66a26cba19f6c83584632ed2bf055ecb1f3026e56a3cdc0deff51cdf0b2c3d0cd653ba4d15a14254f1b03d7b8a680a5a52386276aefb

Download Submit
C:\Windows\SysWOW64\Cpljkdig.exe

Filesize
402KB

MD5
4f238aeceda090f7f16d67cf33aa3813

SHA1
2bd99fe7cd5fb5d6cbfead2c0a03a5f8d1188a43

SHA256
d0010bf210cffd1dd89e01184b3c0bb7c0eaa3940f0a66f82ce302b7ada36ca5

SHA512
81fba62ead01ee5a1e99ef87ae59aa60bd203344aca95a44553eb383ec2591ac3d73251acab45d0a13e91930122ed7ad157fcfa8e9f6c2fd498a27912435b702

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
402KB

MD5
6320cbfd38301874be84a35cd08b1cb6

SHA1
f265546e16f4772e14048fae32ef175f8a107b78

SHA256
ca0206e26e744100a1aa40281b24c4a68f3fc705f4414ac30497240a4f1f806a

SHA512
5443134e3f35a8c318e62f208a0fbd3904e614ef8c2a5e5548c9363891b0e22ae54d8fdbfd7f5cb0ea3c0358ef1da05209f1be607628d547c8ffe21855877cf0

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
402KB

MD5
8d9d5d490082e557fd3b6bddebabc8aa

SHA1
7e72e6b9a76552c999d8f180151af28e56c8c4b2

SHA256
531f14059f7b36dcdf8450fdad3403264c7b497ee7806040af90e942edd10bd9

SHA512
c05481d6996cd525a553702f0497836ab9ed7d67ecbdc6b87b4f279378bba2d698299edcb9addc7783f210a9d2371d94cf2fd84116d33c3873da652638be7ab4

Download Submit
C:\Windows\SysWOW64\Dcalgo32.exe

Filesize
402KB

MD5
6c0ba720562f63b435f0695ab427511a

SHA1
d04d1e8149855a62d85a7f9f4babb70339732171

SHA256
57bcadac19414da1fa7549b29a23e1e1b041214eaadeb37a9337de0159389803

SHA512
3f46c8c6bb53059a775c0ad6f23a5379a2fddbdbbe7fbf8d70bd89e3bbe7eb57abb33bdd32a624c4a6aac6ad16e898e545c20ec41a7489b3cacaa9572a85913c

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
402KB

MD5
8952ef9ba92b45cf07b874da2a6ec5ed

SHA1
d61690dca0ced553496d2f17173e358485b40f5b

SHA256
f9f795c7132c9e603bc4008f816cb4239133da56e94aa6b7e4f1ed61cc84bcc1

SHA512
ec5f16fc57a57fbff31b27e5c9d56d3fd8624071fe906f9727effa45c3efbcdf8566cc08a4501ab989abfbe055f0287324802e38a3a3c979894846b97197d074

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
402KB

MD5
572df5b523c3b03a829f499d5cb23c3b

SHA1
38baba5898e945d9159be8862a8ee9ae93854ba8

SHA256
aaf859845307787919f4550d341b7249c2e59234788f2996b0b751e97d1d4cc9

SHA512
5dff34342e4ab6dec8fac47013cdd582b6c4a4703972063e45154863ecb648b104e0ea0dcbb9d2547dd4abe4a02f33e394c8f5ebfa6d04dcd8d4566d8ef1eb96

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
402KB

MD5
b73f2a1ee1b578278a8a687b28dd2b87

SHA1
85ba889b1b5fc0dea7684535b46b9fd11ba2f3c0

SHA256
f72a0d6f691ddf443eea87d317ec2b948f53d0a8818ce02c40e0a93354a6d3f0

SHA512
9ba9088260f0c5bc8f030c7fea9d6e753696c7fd7a50a2beace2cbbafd4e26ec26e4292d991de4a868f6963cb84969b152159a8df965f4037c5b48380f639d3d

Download Submit
C:\Windows\SysWOW64\Denlnk32.exe

Filesize
402KB

MD5
40cc271131d84f066ed14f0c41f88826

SHA1
90619e98b07eea02f24569eceebffd96abbe7ed7

SHA256
e217fad53a748aa7bb3b733e0f9f1412a62e877442f7fd2a1d2ee7028580d94f

SHA512
0018089645d4afd4ad25dbce3b38b6d172fa5a16379affb3703142290bfbb0a654f2a43ae1ec6641f21985f9dd2fed8a9c3806b60baa52f25275964bfac11bf4

Download Submit
C:\Windows\SysWOW64\Dephckaf.exe

Filesize
402KB

MD5
da5a370fc011e22beff40e2014efcd60

SHA1
a913d8ee0bbb98e0c93d8a42f69882b32874ab01

SHA256
c892e68014ce7d3dca8e4678696529d83824025fae141074ff321c8a68950b47

SHA512
0453c8d5bdd77b6ad2fa02d4c0dfe9c289c9224a4a3411c1c271f5fcc7e620ae7bed3f1fc9f8ff1e3bb569b57e6c948a3e924f9ba5629729486269896c8cfa98

Download Submit
C:\Windows\SysWOW64\Dhjkdg32.exe

Filesize
402KB

MD5
d369f099a038dde93ab9ceed5ba54ed0

SHA1
b7117e3fe703de53302daa78c449f35c10d6d330

SHA256
83165f56a7880535c4cf11508aaf7d57281fc7173f0a1563fb41413506b5c79b

SHA512
7905f3701365bced0909756d31f4525db2683818f75e093b36daddabc39a60058eb16b9a6311fa20767afb47a224e6ac61072462a0dd43867da13823ba34f354

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
402KB

MD5
bf98cc962da3d4757091c84ef2ab6ffb

SHA1
c0fbe842ece4ddbe7fb78a4abc3487dedf2e3207

SHA256
d5e2004aee836596db0bf929184dadcbeeea428c96717652d0ffea70a306ea1f

SHA512
28e9ac250a9c9c0f730abe2d7e3118b3c51a7ef5e963697c0d0b9afda524399a6a69bb773a38458b233f67f9981f7c7ccaa9c8bd1b7315bb1abe6685f37a584d

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
402KB

MD5
1cb458eda6629b48d9be336e1b6cdd83

SHA1
d030ef21fe4fdb786032ee16bb821154b4da757d

SHA256
cb0143a48b6c64c344c2054af8f2b34b36fc7b0759b6ef29446cd9dcdef99136

SHA512
d3e55ddedbf383cb735dfc8d7846a8b681cbff173831ef0c95650569d21c6649cc39cb948f990768a278076812305f1b59676eb2309a3b2a16a186ca991e3985

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
402KB

MD5
7a0a27c281017296f93f8f6aa1d3e0cb

SHA1
4263a05c5e3f201d5dc959a8f8d6b6872e19d57d

SHA256
74c53fca25073d23a575eb071f16d6dcc92b02319e56dd1586a64e66f5aeba5f

SHA512
3da8dfa1e08c39c16bebd67ebb3daf74147227802c00637a44670d6a7916f7e86d0bdbbede7660dac0f707d738e7aa449d79fd0c9a845e0364c42540813aca94

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
402KB

MD5
255c5cb4c53c7c816a6434b21a1ef176

SHA1
d729c0376843461e6ab606d6d14749260ff8b3e7

SHA256
6ddbd4e2349ecccef849cee9de8404e326542b50e4f8220f29dedb13cf51ff83

SHA512
8742e94a34c9d1ff1ecadde2e8646a4776543c5d77fa3162fdbbc684c523fda9ce9becbaff19597b3bae41e0d075184e1b567e21dc190f61062b8e727bd0e5ac

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
402KB

MD5
805ca11f4223a38d8fe74a4607500ae2

SHA1
ab638bcb1b7cb48135dfbc61d233e63870f5e7e8

SHA256
a30e1a7ccd4f729364687473daa3856b317fd45ef4a3ead15bb2fb98948a0cb3

SHA512
aa502b20ee3a748a5605505110a7d9a8705070f19194534139970e1c4adf33e61e4324beecdceb30d1f0e870b9b4c076133e8cb379c037cbfc8e34ccd159dd9d

Download Submit
C:\Windows\SysWOW64\Dlgdkeje.exe

Filesize
402KB

MD5
f428edff471d88b774a634c770bf4c09

SHA1
956b830903e398e3d2254f835cbe620441bdb6f7

SHA256
a556cddbd54eedf27da216ce910933960dfa22d549eba0cba9f25ee21bd7466c

SHA512
ae2cae037e3f6e795183e41965169e95e461c794a715639cea6273db077d4b31bd7b162e9ac7c601e269053eeeb41e910093b8b8ca3a78d009069b239b3dbe6b

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
402KB

MD5
211fa198d1245ed8b6344cc6b33328bc

SHA1
edc811b75ffff1a3c9cdbfc4e1b6a9c6be6e8b40

SHA256
ed659a6fc67538bfd70ceead13e53de44e6bfa0b373e06bc6e4d285a330e2a06

SHA512
9154b60a6c08c4ac8cfc04c6fd6b534738e101db6aacee5fd00f0d60164366716fbfac92bd857cddcfdb1f4b7425af37b2d193a6a147fafdae71c6ae8a5eb65e

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
402KB

MD5
5f56b834499e332bb001447d48864f3c

SHA1
3a11eab189452266cb51788301abf49d8289fb8d

SHA256
d41839f9e415114391decd6ee302964fc156741bccf03f0be5cf68a544ef688b

SHA512
aa808fedbd05c3588f123c1f7ddafa38066c73950840650371ac257ac1d44b5eedd0ff56eff40109ee7b5412a1d7e9ea87a123c7a019917262155936f2525ad6

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
402KB

MD5
e2688195e29333a79ee2ed3a5a035a67

SHA1
94ffbf54134eae745fe74f5f9d6e44c470e3f6ce

SHA256
e465e227bcb119ddf7d408294c60df51e80d5fd81762bf6f447ff62d41f98951

SHA512
37af1cf699679b21b2c9bbdebabe8d3ee69121e162fed35e2d81f9a21c7c7d89d64071d2859364d4e5a3d02bf93ef864572c7700d0dc5c1b151c7a098de0fe1c

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
402KB

MD5
aaa973c3c09d4087737651559c5cd740

SHA1
c4db9f04d6f33f5c058a36908ff4817a6673d400

SHA256
19f3b9c18f09fa5af36eec870ed72cbc16f12f1631480f49f96eab961c0d230c

SHA512
7a3d192b5696eff4469b506acb404d645d55496e56e62c6f6473422a26b9987042da89c6bf87e158090d81a08a1f94049b942e6e28d23cd152dc43009d6a50fd

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
402KB

MD5
76b9410513ed8a06070367774f7a638d

SHA1
6a935026d49f327b3e54075737c1b942dad0dba4

SHA256
f9d49d1a396902b56ad7103e6e40dd2c023391d5b6705296e3cbc5371819e95d

SHA512
060ab1be117728e5ac994fa1c43b5d3fb2285c26670d30df72f54841836188f8448bad1ea780e362573ff84985fc1c8440e4edaf4eb3b165f86025318d7541d3

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
402KB

MD5
dada6b0e8cf35504499539c041c478df

SHA1
6b30a746cfdb6ba3106ef5b2882b075948125dd2

SHA256
ffaa119e7baa54c25cb0733ae2aea51b99c5362a393f77c17af0a5d2a1a099b0

SHA512
b74575050dd7b79fad99fde3f85776c2dfe4470440116e950bfb96ee666795502b62d4db12e58162ec0e739c156e9b2211ef81a57b3cf19ca92cb2f2f45c48a5

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
402KB

MD5
c275635771844ac2f549c71c509eb373

SHA1
bb61c3ef320a4718417877d0c54a1fd49af9d8c7

SHA256
5c342d21214ee0891663edc904ac4738b7efdb3f4eea6e46de8a567e46a4ed7e

SHA512
1a9ddadc1cf924d45c46ae2faeea658d92be17c22e966576e4e8a6149331251f17d3a42a198ccdb3f3bc875a21144c289bdcab7d06c3feea71b9216ec0440fca

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
402KB

MD5
d9a2a547a7b5dcda2171cd5feaab2c4c

SHA1
d19ac4214b0ef28a2d9e38f49f58ba3533ae0522

SHA256
ef29e5ec9feb46fb1784e4ce00b48803289ecd0c77772016bc397515e6993852

SHA512
de70ed0e102caeba5be2426207a39a25f49f4644202d160d55ade471a22c47883ff42967cbe735e1ff0a5d4573a7b6ef81a991057db734311579b7ee309144b3

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
402KB

MD5
9ea7eefc39df573f67831986b73d05ca

SHA1
8b0c2ccf1e34e76ceadd1d749aa88c6ee55c1cec

SHA256
a4516840e582d723e7d515189f27ca3dbcdb403df6aba9d11290079e67b1a951

SHA512
1b63f1c6c117b3f07d95a62bae3966ff9fb16af7b968c3bc9c26644fe8aead99fbc15e8001dd821724e0c339fa51c946c52e951a8f79b3322f692480db3da8a7

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
402KB

MD5
0eba0217e48ef447e32e557df0b0404a

SHA1
2d66fd8ce742ef68774be5c014310db87b5ac645

SHA256
2a8a3356136e9770936090741adbccee98f035830070307a140cdf757347318b

SHA512
2739d691cb065f55ec368cc6dfd22351ad3dcd22266c9c47cc8c66c6c605179ccdc5193c49785be9f7173614dd53005783c641ff1e6721fadfbadcdcb18e0a0f

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
402KB

MD5
d35f5d4588821e3f46cc38d73a0a077e

SHA1
4ccdd3ca848378498d9dfa4534de0303b2d4498a

SHA256
07edc56081be47e9729b6165a961212eaedefbfa1093e96fa4aeac7063b566d8

SHA512
f11f7e3a9c533deb0cbf879104594dd85134e8b8895711f8b75b82cec7a97deffb6ac1501da92354e9a353ec24f399fdb6f3564d6a655fabde59187dc9dbce98

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
256KB

MD5
609b2c23f293221346693bb0908705e7

SHA1
5d03d01695eaadc46cdc6bc9705aa7ce3729a671

SHA256
12732099a77e51ef1a0603458aa8a0dacb9afc71b546c733c95617be58cc5dce

SHA512
e9ef8fa7212bb201d78b6edb11516a01ce9d68293d902718e34fa5145c4cebb8e0f61f1c8003d2938d7a0f5137039d911859f1742b66dc14dbc5676bd617aeee

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
256KB

MD5
09e2d5ee4bae4dab17726a9387efc193

SHA1
7b0e335d98181007aa789d1aabe7767d7aa17ad6

SHA256
d51993b2a6a0b8a4899e062d30a6b38b6fa84d4175169b19058fe0f2b5c53cdf

SHA512
f91c4a4159c452498409bdc50ae38e105080088c3845cab402d105328a93c7aff0ed843ff9a6278871abcb17ed3ff144ee75b163a6ab22c8aefa7c9aa01f6a13

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
402KB

MD5
8455100d5721ba59783b7bfbbaa86d35

SHA1
4f2774596590a1c96c47d4056cf47f7e315398b2

SHA256
d9ab7c289eed30bdc4c1d508358cb5e01989bdad4e0820cd4b7c1f1859ead652

SHA512
a0310cc4189d9c80230ed81f172bff63daa04e5b44a5c4a56ad27dbde8d1a3461000e5467ee436885f0b8923db5851a5825291c1b1499cacd1297741c89987fb

Download Submit
C:\Windows\SysWOW64\Ofnpim32.dll

Filesize
7KB

MD5
98984ab27cb5a439d36d2d0dce44b2ed

SHA1
bd4187c6e5ff9941c57026af5260c029fcbb70a1

SHA256
86cca24559c21ef87d5d390a6b0c2c2d6f2e8bd8f18ec0092ab8ba7cdc953f94

SHA512
445aa1eac48cf2f306ebd05e8cdedc2358360709edb16f4c1d274c1c9d79069b27a9c978cdc436eab8b66437256f7fea2a24b6f6af9cfcc0a66c0a3db7954caa

Download Submit
memory/100-517-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/400-518-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/456-1288-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/456-536-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/624-551-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/624-1260-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/644-807-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/656-625-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/708-543-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/868-585-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/920-573-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/976-1176-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/976-593-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1076-520-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1244-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1276-591-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1336-570-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1408-497-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1432-494-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1520-534-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1764-1173-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1848-28-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1860-577-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1880-514-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1940-559-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2008-546-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2044-1221-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2224-492-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2288-1258-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2380-541-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2496-496-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2532-1155-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2532-636-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2748-1217-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2820-575-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2836-490-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2864-489-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2892-1342-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2892-491-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2904-584-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2908-1175-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2936-527-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3052-775-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3156-504-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3276-513-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3344-642-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3360-505-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3412-542-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3428-562-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3516-554-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3596-532-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3628-604-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3680-535-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3684-506-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3692-556-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3696-576-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3716-875-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3728-495-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3960-574-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4076-525-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4124-515-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4196-512-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4236-553-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4276-544-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4356-572-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4372-564-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4420-20-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4584-516-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4692-582-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4700-502-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4808-36-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4820-555-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4824-568-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4844-519-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4960-588-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4960-1182-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4976-7-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4976-1355-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5088-493-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5180-906-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5184-653-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5220-654-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5228-861-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5328-670-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5364-790-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5368-675-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5464-682-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5500-797-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5508-692-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5548-694-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5596-809-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5608-700-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5616-876-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5676-707-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5724-825-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5752-721-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5784-887-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5788-723-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5788-1122-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5800-830-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5836-729-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5884-1119-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5884-739-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5916-741-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/5956-897-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/6000-846-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/6008-756-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/6040-1079-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/6048-758-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/6108-858-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/6124-773-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/6304-1028-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads