6424f88b63cfe2010236d0b220f6725840672620f49d9f7ca5c97b980ed65fa4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6424f88b63cfe2010236d0b220f6725840672620f49d9f7ca5c97b980ed65fa4.exe
Size

304KB
MD5

b1410ae2b3e461fa29baa37e2a9a743d
SHA1

6a3621666ca32ef1d4fc3d8e9f65b3ff8b172db7
SHA256

6424f88b63cfe2010236d0b220f6725840672620f49d9f7ca5c97b980ed65fa4
SHA512

2c6f11210380fca18732cffa4b837c1f7adff0b97c53ea89e3924ec6cced19fb812a25466e1d75f73b193b5d18e787b63e9d1a563733036b53d08ec115ff6cac
SSDEEP

6144:iOLAyoB3Yt3XbaHJUByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6MxE:86t3XGCByvNv54B9f01ZmHByvNE

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djlddi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dabpnlkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dabpnlkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ebnoikqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhlhjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhlocipo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceblbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpjmee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cedihl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe

Executes dropped EXE 64 IoCs

pid	Process
640	Bhlocipo.exe
3004	Boegpc32.exe
860	Bikkml32.exe
4040	Cpedjf32.exe
3420	Ceblbm32.exe
1648	Cpgqpe32.exe
3892	Cedihl32.exe
2736	Cpjmee32.exe
3052	Cchiaqjm.exe
4004	Clqnjf32.exe
4408	Camfbm32.exe
4940	Clckpf32.exe
3164	Coagla32.exe
2084	Doccaall.exe
4508	Dabpnlkp.exe
2496	Dhlhjf32.exe
1100	Djlddi32.exe
1900	Dohmlp32.exe
464	Dhqaefng.exe
1572	Dphifcoi.exe
3440	Daifnk32.exe
3020	Dfdbojmq.exe
1904	Dakbckbe.exe
5080	Elagacbk.exe
4056	Ebnoikqb.exe
4512	Epopgbia.exe
3840	Eflhoigi.exe
1984	Eleplc32.exe
1412	Efneehef.exe
2760	Eqciba32.exe
2012	Ebeejijj.exe
4404	Eqfeha32.exe
1472	Ecdbdl32.exe
8	Fmmfmbhn.exe
3428	Fokbim32.exe
2992	Fjqgff32.exe
5052	Ficgacna.exe
3864	Fomonm32.exe
4124	Fjcclf32.exe
3964	Fmapha32.exe
2996	Fopldmcl.exe
2488	Fbnhphbp.exe
3608	Fjepaecb.exe
624	Fmclmabe.exe
4596	Fcnejk32.exe
456	Fflaff32.exe
1928	Fmficqpc.exe
4884	Fqaeco32.exe
544	Gfnnlffc.exe
4840	Gimjhafg.exe
2896	Gogbdl32.exe
468	Gjlfbd32.exe
2332	Gmkbnp32.exe
4764	Gcekkjcj.exe
2176	Giacca32.exe
2892	Gqikdn32.exe
2448	Gcggpj32.exe
2456	Gidphq32.exe
1452	Gqkhjn32.exe
4560	Gcidfi32.exe
3028	Gfhqbe32.exe
2612	Gifmnpnl.exe
2540	Gameonno.exe
372	Gppekj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kijjfe32.dll	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Fdahphpi.dll	Camfbm32.exe
File created	C:\Windows\SysWOW64\Epopgbia.exe	Ebnoikqb.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Efneehef.exe	Eleplc32.exe
File created	C:\Windows\SysWOW64\Nokakckp.dll	Dabpnlkp.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Ficgacna.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Cpedjf32.exe	Bikkml32.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Ahgndd32.dll	Fflaff32.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Clckpf32.exe	Camfbm32.exe
File created	C:\Windows\SysWOW64\Inomojol.dll	Eqciba32.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Fmapha32.exe	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Ebeejijj.exe	Eqciba32.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	Gidphq32.exe
File created	C:\Windows\SysWOW64\Inccjgbc.dll	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Fokbim32.exe	Fmmfmbhn.exe
File opened for modification	C:\Windows\SysWOW64\Fjepaecb.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Imbaemhc.exe	Ifhiib32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Bhlocipo.exe	6424f88b63cfe2010236d0b220f6725840672620f49d9f7ca5c97b980ed65fa4.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Cpgqpe32.exe	Ceblbm32.exe
File created	C:\Windows\SysWOW64\Kpmkpqcp.dll	Daifnk32.exe
File created	C:\Windows\SysWOW64\Chkede32.dll	Elagacbk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5180	5772	WerFault.exe	236

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Camfbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbccoaj.dll"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhlocipo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaokiafg.dll"	Cchiaqjm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Coagla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dohmlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbeghene.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inccjgbc.dll"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpedjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiehn32.dll"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhbep32.dll"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dphifcoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 640	3540	6424f88b63cfe2010236d0b220f6725840672620f49d9f7ca5c97b980ed65fa4.exe	82
PID 3540 wrote to memory of 640	3540	6424f88b63cfe2010236d0b220f6725840672620f49d9f7ca5c97b980ed65fa4.exe	82
PID 3540 wrote to memory of 640	3540	6424f88b63cfe2010236d0b220f6725840672620f49d9f7ca5c97b980ed65fa4.exe	82
PID 640 wrote to memory of 3004	640	Bhlocipo.exe	83
PID 640 wrote to memory of 3004	640	Bhlocipo.exe	83
PID 640 wrote to memory of 3004	640	Bhlocipo.exe	83
PID 3004 wrote to memory of 860	3004	Boegpc32.exe	84
PID 3004 wrote to memory of 860	3004	Boegpc32.exe	84
PID 3004 wrote to memory of 860	3004	Boegpc32.exe	84
PID 860 wrote to memory of 4040	860	Bikkml32.exe	85
PID 860 wrote to memory of 4040	860	Bikkml32.exe	85
PID 860 wrote to memory of 4040	860	Bikkml32.exe	85
PID 4040 wrote to memory of 3420	4040	Cpedjf32.exe	86
PID 4040 wrote to memory of 3420	4040	Cpedjf32.exe	86
PID 4040 wrote to memory of 3420	4040	Cpedjf32.exe	86
PID 3420 wrote to memory of 1648	3420	Ceblbm32.exe	88
PID 3420 wrote to memory of 1648	3420	Ceblbm32.exe	88
PID 3420 wrote to memory of 1648	3420	Ceblbm32.exe	88
PID 1648 wrote to memory of 3892	1648	Cpgqpe32.exe	89
PID 1648 wrote to memory of 3892	1648	Cpgqpe32.exe	89
PID 1648 wrote to memory of 3892	1648	Cpgqpe32.exe	89
PID 3892 wrote to memory of 2736	3892	Cedihl32.exe	90
PID 3892 wrote to memory of 2736	3892	Cedihl32.exe	90
PID 3892 wrote to memory of 2736	3892	Cedihl32.exe	90
PID 2736 wrote to memory of 3052	2736	Cpjmee32.exe	92
PID 2736 wrote to memory of 3052	2736	Cpjmee32.exe	92
PID 2736 wrote to memory of 3052	2736	Cpjmee32.exe	92
PID 3052 wrote to memory of 4004	3052	Cchiaqjm.exe	93
PID 3052 wrote to memory of 4004	3052	Cchiaqjm.exe	93
PID 3052 wrote to memory of 4004	3052	Cchiaqjm.exe	93
PID 4004 wrote to memory of 4408	4004	Clqnjf32.exe	94
PID 4004 wrote to memory of 4408	4004	Clqnjf32.exe	94
PID 4004 wrote to memory of 4408	4004	Clqnjf32.exe	94
PID 4408 wrote to memory of 4940	4408	Camfbm32.exe	96
PID 4408 wrote to memory of 4940	4408	Camfbm32.exe	96
PID 4408 wrote to memory of 4940	4408	Camfbm32.exe	96
PID 4940 wrote to memory of 3164	4940	Clckpf32.exe	97
PID 4940 wrote to memory of 3164	4940	Clckpf32.exe	97
PID 4940 wrote to memory of 3164	4940	Clckpf32.exe	97
PID 3164 wrote to memory of 2084	3164	Coagla32.exe	98
PID 3164 wrote to memory of 2084	3164	Coagla32.exe	98
PID 3164 wrote to memory of 2084	3164	Coagla32.exe	98
PID 2084 wrote to memory of 4508	2084	Doccaall.exe	99
PID 2084 wrote to memory of 4508	2084	Doccaall.exe	99
PID 2084 wrote to memory of 4508	2084	Doccaall.exe	99
PID 4508 wrote to memory of 2496	4508	Dabpnlkp.exe	100
PID 4508 wrote to memory of 2496	4508	Dabpnlkp.exe	100
PID 4508 wrote to memory of 2496	4508	Dabpnlkp.exe	100
PID 2496 wrote to memory of 1100	2496	Dhlhjf32.exe	101
PID 2496 wrote to memory of 1100	2496	Dhlhjf32.exe	101
PID 2496 wrote to memory of 1100	2496	Dhlhjf32.exe	101
PID 1100 wrote to memory of 1900	1100	Djlddi32.exe	102
PID 1100 wrote to memory of 1900	1100	Djlddi32.exe	102
PID 1100 wrote to memory of 1900	1100	Djlddi32.exe	102
PID 1900 wrote to memory of 464	1900	Dohmlp32.exe	103
PID 1900 wrote to memory of 464	1900	Dohmlp32.exe	103
PID 1900 wrote to memory of 464	1900	Dohmlp32.exe	103
PID 464 wrote to memory of 1572	464	Dhqaefng.exe	104
PID 464 wrote to memory of 1572	464	Dhqaefng.exe	104
PID 464 wrote to memory of 1572	464	Dhqaefng.exe	104
PID 1572 wrote to memory of 3440	1572	Dphifcoi.exe	105
PID 1572 wrote to memory of 3440	1572	Dphifcoi.exe	105
PID 1572 wrote to memory of 3440	1572	Dphifcoi.exe	105
PID 3440 wrote to memory of 3020	3440	Daifnk32.exe	106

C:\Users\Admin\AppData\Local\Temp\6424f88b63cfe2010236d0b220f6725840672620f49d9f7ca5c97b980ed65fa4.exe
"C:\Users\Admin\AppData\Local\Temp\6424f88b63cfe2010236d0b220f6725840672620f49d9f7ca5c97b980ed65fa4.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\SysWOW64\Bhlocipo.exe
  C:\Windows\system32\Bhlocipo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\Boegpc32.exe
    C:\Windows\system32\Boegpc32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\Bikkml32.exe
      C:\Windows\system32\Bikkml32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:860
    - - C:\Windows\SysWOW64\Cpedjf32.exe
        
        C:\Windows\system32\Cpedjf32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
      - C:\Windows\SysWOW64\Ceblbm32.exe
        
        C:\Windows\system32\Ceblbm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Cpgqpe32.exe
        
        C:\Windows\system32\Cpgqpe32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Cedihl32.exe
        
        C:\Windows\system32\Cedihl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Cpjmee32.exe
        
        C:\Windows\system32\Cpjmee32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Cchiaqjm.exe
        
        C:\Windows\system32\Cchiaqjm.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Clqnjf32.exe
        
        C:\Windows\system32\Clqnjf32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Camfbm32.exe
        
        C:\Windows\system32\Camfbm32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\Clckpf32.exe
        
        C:\Windows\system32\Clckpf32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Coagla32.exe
        
        C:\Windows\system32\Coagla32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Dabpnlkp.exe
        
        C:\Windows\system32\Dabpnlkp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Dhlhjf32.exe
        
        C:\Windows\system32\Dhlhjf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        23⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        24⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        27⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        33⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        36⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3864
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3964
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        46⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        48⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4884
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        52⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2892
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        62⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        64⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        68⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3812
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        70⤵
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        72⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        73⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        74⤵
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        75⤵
        
        PID:716
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2716
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        78⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:924
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        80⤵
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        81⤵
        
        PID:228
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        82⤵
        Modifies registry class
        
        PID:3152
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        84⤵
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        85⤵
        
        PID:764
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        87⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        88⤵
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        90⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        91⤵
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        93⤵
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        95⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        96⤵
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        97⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3784
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4304
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        100⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        103⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        104⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        106⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        109⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        112⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        114⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        115⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        116⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5836
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        119⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        120⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        122⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6096
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        126⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5472
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5600
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        136⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        139⤵
        Drops file in System32 directory
        
        PID:6104
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5268
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        142⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        144⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        146⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        147⤵
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        150⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        151⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        152⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        153⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 420
        154⤵
        Program crash
        
        PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5772 -ip 5772
1⤵
PID:6068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bhlocipo.exe

Filesize
304KB

MD5
d58b3fe573877caa247e0c2413717d83

SHA1
f4fbc06457fda23408e905356791a2524a5c1a02

SHA256
252a47587b81f115a998c82b949588497c0e023829c329922a77840488e727e8

SHA512
40a5bc32bbc847c6da0b63155b73297e6f403f428e742f28dd7d60a8d7df768fdbf6d83ab1ce4851da3559bede3643fe455505147ef66df1d673487f0c4cbc89

Download Submit
C:\Windows\SysWOW64\Bikkml32.exe

Filesize
304KB

MD5
3747880dd18478c488ce2ba9284dbf60

SHA1
2233b52f3a72244580eb02cdb61fc182fb5ac010

SHA256
76d35a9651ee973c0d47f4421253f41cda03a652e6f1dd5254e5e9663aab62c4

SHA512
4883471e0235bd9ccfc2086818c644b39b3e3f05bb6ac3a98dcd7f0c2fbea6d20f338b3f0b11b82e4d1c02a499eafa05d0445b8fe74565c3c378034749dd0983

Download Submit
C:\Windows\SysWOW64\Boegpc32.exe

Filesize
304KB

MD5
1c3b02c07c6664e805f0d24e123fc477

SHA1
9e32e22d3f8a8065b79a59979a16b17cb698ee43

SHA256
52795fd60975ee588bedce95249037f6be5380cad106d8008fab6935cb3bbaef

SHA512
1d6a379bc04c005401af9959885feba2b7122777bf22ddb18e71e152263a603927212b49afd70c5bd4e5ff6ccab53298555ef3b06eff2a98e7ef6df6ae4af71a

Download Submit
C:\Windows\SysWOW64\Camfbm32.exe

Filesize
304KB

MD5
a61c870c7a4959e4a93381f41276b86e

SHA1
8faac4d09bfc534ee04e30c8ccd098a37a5178a8

SHA256
49cba78adad334fd0d1c1a3c100f1955cbe373e990ad0ee70567303e82182416

SHA512
5ae86308c18ebfcfb7819154dbfc5bab45278909335042715c511edd8312f4a4bbe7ac65cc963c948115ab2571105fa89fdf85056640292d4317f5b9bd715592

Download Submit
C:\Windows\SysWOW64\Cchiaqjm.exe

Filesize
304KB

MD5
ee76441f5eda0346ff561fe944cbf6c2

SHA1
3afa346f95a3c611ada477b6911cd54028a86fe0

SHA256
4fe451b666f0e82f8595b0a71becfca93db28181de4e2e1207f192c6794989e9

SHA512
5bad2a8e6979b02c25d100713fc8256fd2a522e705d8d8311bf26d59241f0134cf0cabfd49f868cdfd9a5a11d75462a5a9096fc238944ce98d5e38a5be828728

Download Submit
C:\Windows\SysWOW64\Ceblbm32.exe

Filesize
304KB

MD5
7273cf73c4382ddc8c342cebca69dd98

SHA1
f9c304169939dd55b615fdfb440848e43a2b91f7

SHA256
78cffe2eaa4a4c96645275823a604f70b68830e13a8fe7a1c691f6fbf73c4257

SHA512
a268f3d1b696c41bf2a868850452f60e328065c9856f8babec2b91b875fcc93a461033715163674e2fbddc5bb223aa5a2961bf15f5a25334644cc513be135c34

Download Submit
C:\Windows\SysWOW64\Cedihl32.exe

Filesize
304KB

MD5
34f27460462b76220f01e6f12a58c96c

SHA1
40f644bf4cfa58fcfa242f449e7219ada677bf86

SHA256
83663f469384a6b4d5f262c48235a7446fe8b11f4504ea03f7bef75f8359fe69

SHA512
d7b65c49e3ea032d44a0574e55ddb3909ad993fbb8ee98f319c66c0da626c8a41631e0e6cdd999c7fac972d02fe2cca3dc1a49ad03dfe0ebbf345eef8ca94d2c

Download Submit
C:\Windows\SysWOW64\Clckpf32.exe

Filesize
304KB

MD5
b6c05ad5af723dae001376063169b0e3

SHA1
4b60376b6b8beebd91e76b70198721be0fa3e9a4

SHA256
864a05b77d472fe09cd8807bd5a648a1f04f8e4e40c6bfee716b0515ce374078

SHA512
669b27d57e350a91a47d369c2e283363419197ca8abb19af0f087c5946ef7e56ef480f0e0e96fa92b4767fece968e1d168f3ab7a961d27830b68dfc913a618e6

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
304KB

MD5
5432e9b338a5bdbb71e16190c0eb7418

SHA1
eb49e201e30fc5a63845521b679d9987c8948f35

SHA256
6311525a78a8ec5df06610b87c3e6e359e12d70ea8cf8b1bf28e2a8dbd82290d

SHA512
199964ce590357ca5d4d0ef3ced50019497cd7860e7bdf9cffcf4729e113a7321178ca3362100fbdad6df45fa28d92fe32b8fde82ba1ea64418a49f03b256fd6

Download Submit
C:\Windows\SysWOW64\Coagla32.exe

Filesize
304KB

MD5
495a4d40b7ab1ebec7f83daad2f8e2b0

SHA1
e402fbf2732398b3df3023c5253d2bbc3a937bde

SHA256
f66a554d95e1d296202658a0c42b3d678712d45b87c423c06056f0fc99075a09

SHA512
4a606665e176382951201a5181899911c79fd9201c6243a50393f50eb442ea2b8175caba9be9d1390aa90b81a1d0c46e0602b9bd4c0cbfcf4db31aea168b5680

Download Submit
C:\Windows\SysWOW64\Cpedjf32.exe

Filesize
304KB

MD5
a26cb7a98f682dfa7b46031475e75199

SHA1
cb1a027160daf82e8a4f826bdebad8d1d8ab8b72

SHA256
6ba869259fe40dd6c063b9579d3feb26f719ab47269974e78a97fcf423b59fea

SHA512
9f18219c9e798d6c146514cf9c4ba906101b2305a704315c137f4489aedccfebb5a7b69e43ba642bd62c666fd3a46209a8125a43b6a1d00a2397e88494631d85

Download Submit
C:\Windows\SysWOW64\Cpgqpe32.exe

Filesize
304KB

MD5
eff3fee92af38ef67ad585d38edf3d47

SHA1
fbcb65e5860a16777dcbf7959a00a4af82f90c46

SHA256
ae237fb741e487f4bde4822197f767f241da68a42e2a9e2cc2b0b85c62038d51

SHA512
fc5fdb9242e14f653033a805b916f70ea44dcdc8ded2b355dd35267a9ec585efc10bd5d867d96932657fb8e66c0a7a59583bfe360a988a8c6446844b60b8b3f5

Download Submit
C:\Windows\SysWOW64\Cpjmee32.exe

Filesize
304KB

MD5
d9c8da2d2a192312b4df76e9d8b7f925

SHA1
806afae5751326894a7c7c9684e0753fc8da19a6

SHA256
51747a84396a472e1dc6120a21446cc529795509077a3b1de672311c7a1bf3ae

SHA512
fb40f5b3dc8f30ee6f8c5047ba1f9575a01658b5d407dbfe622aaf7a809ee0787be816471dbc4edddc3c1cc71c87fb09f70e8f795d74bbb7bd9f2f9170747964

Download Submit
C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
304KB

MD5
010b0ac13a2241201bf818f81d3f1c96

SHA1
25c7f3759c730d56c6f5774759ea8b16400e412f

SHA256
54bb17a98a5e853bef1c352a27ae14f89100c060c4e1723f95c71f8e5621e710

SHA512
84f0819a503345f9655a0ab649cf29aab25d22554c31da769a52302653d6d73fe5c20f2ef274340c20a6c13caf784532e0b69c5374e186a2364b217f00f927b2

Download Submit
C:\Windows\SysWOW64\Daifnk32.exe

Filesize
304KB

MD5
a466127e5a975ba8f58607b1d3c943d3

SHA1
dc84f06ac0d3db49288d2355dade8835754bd3c6

SHA256
a64e750240409ad2979c3ac17c16b63a372c88e8900e614889a19ba81dc90a24

SHA512
e98af7f1b7cc61f3e0cfc4c56bd28011fb45fe42e2eac8ee7d7553239e58eca162c6d7580a8ed451649abe12ac259f0de90e22120f4e7b521cd9f78db08be276

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
304KB

MD5
195f4909527544866fa16d71b8fe3a88

SHA1
89234768d16014f421ff94996a4ef55fb5d0a50e

SHA256
6990c7ce9387a5df4e27867a59885fbd92dc9ea53752b667916c4c49ae91b1f0

SHA512
1bb6912ae25b0d04c729b7bb4dde16d6f572d4c7a0f1f0dda9b03bd6e64dd3dd6a67988071daf33b7df4355ca19efed88e09be2a4c1529e81d83fba1aaf03a90

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
304KB

MD5
29cdd250ed1d70e1c29412f999cea3b7

SHA1
26decd0d758bd417131bfb0ab3f87de93c4baa0a

SHA256
ac33111912bda3bc28e169376533714a84fe16a95de975c9572106832c976cf0

SHA512
654b7bd0f6eb3bb4a4ebd1572d63bdd6e6b3d3af53a009d3f1639ac865caa9bce510d8c91f6a915b1cc4ed86bfa1d62f6fe9127feda70d4656dde83a6d24c6ce

Download Submit
C:\Windows\SysWOW64\Dhlhjf32.exe

Filesize
304KB

MD5
4e5f3d431609148dbee6a4351c90c001

SHA1
7b2d713f3c74c97c9bab64e0bdaf39b18b8c090d

SHA256
663b5e0302a05d195dbb7c2be0971d3155be2b953b0a8d890c0275884df99a71

SHA512
af0e6170623762ff5d879c8d379a4beedfae41f56b30f6d922f1a86a658578b2510f49f3dafc5d095b4f635974e2aa0b0f7d5eaae942797e52aa3b06e15046b8

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
304KB

MD5
96e82131048d28cd2e21ae533b463441

SHA1
7336f5019c3942f023113fc353a03f527e0d345e

SHA256
9771053e6929dd1378e50f579ed46de5d4f130844d67c6fafb7dd7db9ad281e7

SHA512
ea5f68e6f3cd989e788bec389589f0c3e67c0133d1b366c28eb5ed7b9a7b583f9fc8c7dc41b011371ebf5b170af21e6f3f610937bab5a49557677497a4def1ce

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
304KB

MD5
4a85ebc10b0d8a54593d3e2510acab14

SHA1
c9563a7e73fa11c439f88b29f8aba7364ffbc370

SHA256
4c598aa3da51f3708b0358db6052cc97c27f7d212b81e77b42c336fdc68c532a

SHA512
990b125cbc5be849e48ceba7d53ec02d252735b3da3e5a487cd5ed467677cf0b29b138888a2ceadd79b4d67838c042d8e18bb4a19a712566c800e510389848a3

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
304KB

MD5
50d9a75071efde42a722340c73e0ba19

SHA1
132d6ab0c31c968f235cbab50b892e5c76a348e8

SHA256
8a5d116fb682770a4eb761345b89d23eedc46fe560ddfe6312cca785b37c880c

SHA512
9fa3239a839c8075c6d8944f386d64641aebb111d381d45b8c0c3fb518091b63cf3d49c2e416e1990e14a944b4d36b0074c93dc9039416214d937527132790c6

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
304KB

MD5
582a5ba936e2553b7b83d5223a6b01b1

SHA1
7bd64b021c0de41999e24a4bd70adadbc53af59a

SHA256
6c01a934d79bed9e68f22b9726767404a1c21609e0bfd73d40600b2454ac3fdf

SHA512
354a2c8143d7477088577257c44e1e7e3bc165ae636891d99fcd3a8d24e77fd6895476cf9dd02100aa1190906959ad8c53b03e36ffe2c15754a3d2153bbbf827

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
304KB

MD5
d09fe580be1b45b7a87f83bb8b6c4ab9

SHA1
2f4811c2e135c0728aa83db3ef7c16b3e5461cca

SHA256
95dfa7786b812a2ea2641f7d497fac70555180a0d87293c47f633cffdf1f710a

SHA512
561d2156860b749e288f2daa5d092ddc8f2cbd22087c727ad0a942e893bb29b5c1907a44bf6afc68e09878c4bf7c7c9f0348ebd3be4ad296bdc5ced86c376b9b

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
304KB

MD5
b045393e06ce6eb5e891c394a2581063

SHA1
0cc3601f3968f2ebea5de5d4347bcbdb65c7c493

SHA256
37063760e7a6685797e2b727d86d3889baf93203b69803ad33a9f6169db2a547

SHA512
6a88ecce1aea7dcfcb0b3d9f1fb0b689b7cf12f4bea58a359b4e5a55fc2ce6319f5951ac93cb1bfc0399e98d04ae7191045fc6d56c66840409927026a3468d28

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
304KB

MD5
64f8443fbfa3e3712de5d74e974f21e2

SHA1
1fb07b10959e3fe52d89eefc927f6d39c0cb2e2d

SHA256
22f1b239b2fd2c2ed112033e212463d676e7b8788c4e16cb0bf76be8735cb5c7

SHA512
5afff1905c79a18a787faa6c7eff3e27beb02f47ad278afb53e7de3f8ac91ef3ff3c3a8c584f533bd32cebad4da4eb60574b087964d1f8e06eeb5041a6baa4f5

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
304KB

MD5
cd26d93c951a8701de97f419bb04a27e

SHA1
5b4c985fe18c8a7f57c094303fd31ebf78671c72

SHA256
d36b629f9bb08fc8b4fb54182746314c4d26dcb5a8688a1420fa80ff9ede9e18

SHA512
cf529d85e87759b996be4a659c669aa9e6e8b1e5c4c5fce9b63d944403d1a3d5945213e1ee516219c469eb2742f529e8a16e1c966746e1e561f0fe1197c7f404

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
304KB

MD5
682cc8917f9970dfdce3b04955666d03

SHA1
77af7a7b7e2ed21b91001060fb26eff5ff74ad57

SHA256
7a1721f9946b1e8b45fb5086fd47b84478b3d75ed16f577fc372f0b9bdbfad18

SHA512
f63445b6d36aa6e75b3af6be6470783b50741f09703da760fca9f7426ceff85b848d433d2ce0b6f64054d30669b73e2c0ed752c44b3d70553dfb0761fbd13e4a

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
304KB

MD5
9c12c70d0cf7713bf8319d1325b93b9f

SHA1
b4ab107d731890a793739ebb2521a9ff61247e4b

SHA256
b30cccb055919f6941fbe29b8c69173a8368484813ff433d7cf541a1a44cde05

SHA512
1c00cd490013b1119a9e9c93969133536b16029abb7a293585b5209ee2cf033284878423fad593f2c6a9f2417541a09581ec64dee49ba44f3cc232a614fbd5cf

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
304KB

MD5
a3e4b584ffa32f0fc0f037c3e50fffe0

SHA1
9b1700f611b23c9aec0eaa443fd0aac7d47df27b

SHA256
f470fdc7eb40a3a40e0e6aa77fb76a2ea9449a0a008d020dc4e6547c53ae1e25

SHA512
3363810808087306fac23dc946cc00d9d5e22c7f78af3c00d80f294defe20e9bc7bf0481a0485ec7718140b35ca71a2a1ac9ccff5711ba44d5be0a12be964cae

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
304KB

MD5
54b6a15b3ef835c9967efb94adc24377

SHA1
99526f20d45322945ef5c553aec2768ef20b79e9

SHA256
a6e16ad04aac4b587358424267cf167c9c33c248bc0f90aa46e6686328835734

SHA512
da3bdca6c51df30e8c57e7049951b44e28495cda1dda841c719dc2486345c093c4351e0c31e9a7c56c90777bfe8579617f5581ee299ef36d8c7527a95aef70ee

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
304KB

MD5
72a36a2403e1fd55b00654f3c66c9c37

SHA1
11393d602e4355105882c414fd2e62c37c43128b

SHA256
1d9026e6d3f5179ec64d4de6c85be968eb3103b5520c7259ea75eaaf48f043b5

SHA512
b73df4cc6df64c90e295d345264a39771959dee04386aa19c53ea4a51efbdfa3e6051462f741f85a4754fe72b679c12393c7381484fd33f3b7d6534ac041bb55

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
304KB

MD5
2fa452fe853c9dcaf8dcc41f3d7e01bb

SHA1
57aa46c937cad833e1fb3dc3ece0afd44d71d67a

SHA256
a301a1b4231bd8fd9e8434bb2658b4f3e1617f05e9cda9147f4baf34b3abf774

SHA512
2407cf93f47db0a5bd1864d1305e646bbf115d2940b86d186482486e53de28dc50e882af8ddf2512f1ce6ecbf898a0d357c8cdb6e5bc8a4617202e932b2b8c5e

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
304KB

MD5
db17044a176b6409a36a48bb9ca8bdfe

SHA1
adb384ab54816decd5d117d9ec7228079a0d2b29

SHA256
61f946b0f61b7c1a228a9333651077a423e51f46877c6429f9763c21cac33b57

SHA512
7de663326e3ffabd83d5d5ff67c046c2a5384349d231620dd5484cf0b08173a442d837cf6676938ce3aea7a97253d6d6b1445d08105fda301371e756aae3b713

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
304KB

MD5
0b77cb271062d9d58a5fad92739c3546

SHA1
020a20c6c4846fcdd50d2114cb3bf3963a359b96

SHA256
860bb4776bb6ea87b5248c86bdcdbe0222e691018b98f3e7fb6607d601e9e969

SHA512
4a50c1d4a38797d05645d86c6a04511015f89e3d3813fa5cddbf163cfdc5011d33f0c096282c3f129c89a134f5898905348ab3b5596f8a8628a9ffb63e6563f4

Download Submit
C:\Windows\SysWOW64\Hfjmgdlf.exe

Filesize
304KB

MD5
cc2b0adb022e4c4262e34cc8ec479558

SHA1
5a46d0c5fb3635b5116e55d0c59163a367560b1a

SHA256
3655184fab7a5070bf66158e0a1d5d9e21c6aafd1ea44a4d397cdb22b84c0686

SHA512
832241f09465c39a816d8e1346e4f386e2fc25796b3049274311e3c32dd296021e90186a382f6d481a88faabc2602d9d4c2548b25de191e324561613e02e3d6e

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
304KB

MD5
6398fe0f79b39ab3617c73fba1b15491

SHA1
30f9aeb2deeba6f0106e9e1ed93c5e2da638881c

SHA256
c470be553b522defe5203bb2fd0106d395d6aa989c093278c52c95f657bb8d58

SHA512
4192a8df43da5a5183763f28d5677c2382585ce00964ebc8d760033cc01eb35654d86b33fd702424b660341badc1066e389c2039543fef7c202771d8a26b5852

Download Submit
C:\Windows\SysWOW64\Icljbg32.exe

Filesize
304KB

MD5
312951391d754356678e121e3e6008a5

SHA1
1e1bc75244bb7c8140ed646b76c6aa1d518e83b6

SHA256
aaf3c6f5574b8279a94a7b59685c159bd2c42fdf44368a3b63379daad756fb5b

SHA512
2f96db357d236911a955a5572623b3c403e58478501ce3173df01dc4e6abbd5de887b6880eba7c9421bcc63bc6e781d37591b8be4171de2aa6bc5c1a1965f3ca

Download Submit
C:\Windows\SysWOW64\Jangmibi.exe

Filesize
304KB

MD5
6fe3484055ce825172636be5ea810acd

SHA1
f6dd71f519848dcb41c00fffaf54786c80bdb1f8

SHA256
4b5411d2929ca7abde414c2251e624932e013c6d050b2b78d579b8f6992ebab2

SHA512
35c3abb1761ff6e700b1dc29d0c03f06e343afbe52075ed558c9fd92164a3283b97b7315ee5d7bfe8a2ccdadb9c346a2778a1c78302639506f8654312eae607a

Download Submit
C:\Windows\SysWOW64\Jbkjjblm.exe

Filesize
304KB

MD5
237102a77b9772b346f9b6f66bb947a4

SHA1
69e4e4e20ea60526148d37bbd13b769fe7d38dac

SHA256
95b5d4049ef01d2eabd41036afd657699af7e94ab71715c8f12aea7a900d52b7

SHA512
1ff1b40f951bdab30a77881826b588b8a8444c0388e0f500dabba554faed19b8e22f8a2fa67a7ce19edb6fa2b33a271977871c90a9c2a24475d85d76951a15ee

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
304KB

MD5
6c6d4d2e5e62f4365d044b696c8672ed

SHA1
ab165bf05f6f286303e4d0b1d6b8993fff0e8267

SHA256
746673bf1da7204fc94eca824442a664750ec8f45a37f0cafeaf56747cba45c9

SHA512
e2c813f4469306a72aa7744f03a72d992e3c70eaabeb7701b4e7c8b96800830099463fc4ceb0377a2ca32e741accb6f8b4fecf4992df96f6b46c83ea16407028

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
304KB

MD5
bd56bb1c78391cea96e6fa86dfaf4629

SHA1
7605b8e26e9aaa959a94e7a448f3183d15073bd9

SHA256
b7d91176b9f23d0923e661aab07de50934154f254ce66a9ebcade9c513c8dae4

SHA512
c46b89384144e7170c52d6070b6372275846bc06c972f4436ecca85b289be971b57abf736b3cc859ab23a9be7a7d85d9a90f7a7e481b2831bf32e1699561391d

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
304KB

MD5
12e7d24132667da240ab19c886847af0

SHA1
eadadcdaff27b1bd44b4438c270c131525170e64

SHA256
b0fc5d090622ff175ef32b2f96e50bbdef6932e4ef871a5338d9eeed78939363

SHA512
b9ad45751f34b9a668ba76ce90256dd3cdf447d18b2d281981b83a5031ece97654a6173679618988c53d28f0e823ac330bf66754a13a9de08dacb2490a21b1cc

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
304KB

MD5
76dd9c32f4d44ee00c4575816900c3a2

SHA1
16730f026099acacca730f306e43755a69abbe56

SHA256
9693149bb5096c9f8f0c53d044b17b006e1221a3dc0a7032684c32c150704f11

SHA512
a85d5e08d22f2e00ad593f03a99ec3cbfbd72c6910083a0b5f27ac10b472e9d7eaba52f9f336056aeebfca9caaf592876df456e9b49f19dead79f0ca757fdd7f

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
304KB

MD5
78ac7bc4dd7e9a1767be2b9c3c940164

SHA1
1be9f0915055af940f065d2af4a23a9391c08d55

SHA256
35649d5dd0c49fbb667dc5a4b6ca3726ac5b2d4c5aadb1f193ffa1a0e3a111c1

SHA512
e3bb28a1135a225ffd4862207b8842ebc543638df79bd875cd5d6ca24bd6b81d52692844551696c029a4abf0395336d3b001d1a05441fbb59052c6445e4aa39f

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
304KB

MD5
0a35e33049bad739816061fff593a356

SHA1
68e013de373b260a8b221eada2ece0537868827b

SHA256
16cd74f098f473921943fac85a800a7823e47fd4aa257c6db500021ad1a6b1f0

SHA512
410aad5f3c4213a83c528bdb544b79c41cb13834699d52c9b5dbd1c103366e5699bda80968817010b25d4ac8f02133c101d0fb0db0ecf5a656cd3db56df72401

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
304KB

MD5
df045b71d97246ca778124cc2d98ffca

SHA1
a77fb716dbe93042260b92f710d01ab10042eafb

SHA256
858721058f753bede28712868c361b4545896fbdb0edf0024edaef83218c39a5

SHA512
abd0f8896b94003c8ed0bca8c5e167b68f9bbe3c34955f48c1feb37e3a8fe161f028702c0a8130e1570c55fe28cb85a6816044f7be9ba95b18ef757e7d83a4f5

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
64KB

MD5
56338b78403d7bc7c884272914467f54

SHA1
0a012a5a8e39932aa941b0a070e2976f454e4ca4

SHA256
9abc1a95ce723e1d1a9754def0a1e854c51714c78e9fc85ca9126d85e6c470bb

SHA512
18537fa8f19b0afb970d5d334131f952ae3842c7d6d225c47eaf5070220c0f5cb09f26440f687de6f25f735f861d9eb76174e163f3079a3592f568e430c90875

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
304KB

MD5
b81d9682ad2208ded83fc0931addd5e0

SHA1
fc79697de46ea0e1432b0b22c26487200c299f68

SHA256
5dadf70681ba782478a5b50228e4ef9d1acb4d3fa74065333a034abbfc12aca4

SHA512
68672da66c33a485326afb5d52345bafaa6b5405943e86cc384828b08651110eb1ed323515153329654959bcf91d9dc523a50156a7ee82a1c445f5458dc7335b

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
304KB

MD5
88f7d524cf3fa439316fcd67678ba59d

SHA1
6209b675cbdcd70f7b9ae3b68177456ae69be140

SHA256
ae4838772631603954b97032cbcb58b15f726d35d046d93973168c46fbb84537

SHA512
715ef48a6c44d092a19aa1f256dd5e99fa22590cb23656fc49f7ebc9793c175a835e342189f6e2b5fa616e56d2dc5d4c3ac73d20f1c104edd08545c3fe5801d9

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
304KB

MD5
34f9c249c8a983c7a9a2f24320eec94a

SHA1
d3a38464970ba19b9d98cd78725fef07bae0b016

SHA256
81e060a99f447d0d2f223aec449f5bdc5a2024ec07a01eb5c0f94d070739dfab

SHA512
6507dccfdab2bcfb67650e869972188f20228b6bfd8d301b17eaf11d64c467222d81094d297a2e6db658a3cc7ed22857d5a961d92a778fb431d361a98fa5b641

Download Submit
C:\Windows\SysWOW64\Oqlihepd.dll

Filesize
7KB

MD5
26714964f325818203d1725bbc06de6a

SHA1
9ab32254fcbb1c0a25bb6c8853cd39f5c3e5c902

SHA256
65dd1c3675b3f6dab3942c32d16e2703915b0caa6bc36dbd4117ed729c2c9864

SHA512
3a749c0c1da2017d33a674e283608538594ae657aac7038ee1bad59bbda7731a84e2b121da870539ac54ac1ef1552b288c2e54666fea827056801bcfd45ff54c

Download Submit
memory/8-268-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/228-545-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/372-448-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/456-340-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/464-152-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/468-376-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/544-358-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/624-332-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/640-8-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/640-551-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/716-508-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/724-580-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/764-573-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/860-27-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/860-565-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/924-532-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1100-136-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1412-232-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1452-422-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1472-262-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1560-469-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1572-160-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1580-563-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1648-48-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1648-586-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1820-502-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1900-143-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1904-183-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1928-347-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1984-224-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2012-248-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2040-484-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2084-112-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2176-397-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2180-460-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2332-382-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2364-530-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2448-406-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2456-412-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2488-316-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2496-127-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2540-447-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2612-440-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2716-514-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-64-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2760-240-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2892-400-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2896-370-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2984-454-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2992-284-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2996-310-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3004-558-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3004-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3020-176-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3028-434-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3052-71-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3152-556-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3164-104-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3204-478-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3400-496-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3420-579-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3420-39-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3428-274-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3440-172-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3540-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3540-544-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3600-520-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3608-322-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3812-472-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3840-216-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3864-292-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3892-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3892-593-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3964-308-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4000-566-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4004-79-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4040-572-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4040-36-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4056-200-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4124-302-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4180-540-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4404-256-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4408-88-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4428-591-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4508-120-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4512-208-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4548-594-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4560-424-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4596-334-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4656-490-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4764-388-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4840-364-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4884-352-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4940-100-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5052-290-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5080-192-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads