1046b4d1eb86f730f947d0c1ffed6a971e3c3fa7b4186a5044a25f44b307024b

Analysis

max time kernel
94s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1046b4d1eb86f730f947d0c1ffed6a971e3c3fa7b4186a5044a25f44b307024b.exe
Size

135KB
MD5

d64ac81198b74ce39f657ed1a628b7d6
SHA1

06123f7dedec5ad2ecbae9af32d257cd1f82e2cf
SHA256

1046b4d1eb86f730f947d0c1ffed6a971e3c3fa7b4186a5044a25f44b307024b
SHA512

0070c5047e2229c1ad492334b0fbe5decc1129f4298cd9d6d784bf9f4e29cf221520db7b661b9b9cbfe7914f05f3562cdf60bcfac111be603373d38b3fa7f29d
SSDEEP

3072:k1h4Gv8Cq7u7CTdK8Qr5+ViKGe7Yfs0a0Uoi:khB86uTdK9cViK4fs0l

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhclmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fefedmil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goglcahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlolpq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fflohaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kodnmkap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggnadib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahmjjoig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caojpaij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eiahnnph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmimai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hipmfjee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgloefco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npbceggm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnmhpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eehicoel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npgmpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bahdob32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enigke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmpcbhji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moipoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opclldhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmkdcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfchlbfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dngjff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gihgfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikmbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdhkcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chnbbqpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoideh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gihgfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqojclne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnmmboed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqbpojnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmpcbhji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcoaglhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opclldhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpfjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfpkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiipmhmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcaknbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcanll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kflide32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lokdnjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lflbkcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcmmhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aokkahlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahfmpnql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dafppp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmkqpkla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbalopbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hoclopne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnfpinmi.exe

Executes dropped EXE 64 IoCs

pid	Process
4164	Cnindhpg.exe
5048	Chnbbqpn.exe
2188	Cdecgbfa.exe
2500	Dnmhpg32.exe
2148	Dhclmp32.exe
3928	Dkahilkl.exe
1500	Ddjmba32.exe
3308	Dnbakghm.exe
1700	Dmcain32.exe
1196	Dndnpf32.exe
3656	Dmennnni.exe
1436	Dngjff32.exe
4956	Dfnbgc32.exe
2192	Ekkkoj32.exe
1292	Enigke32.exe
4588	Eoideh32.exe
3804	Eiahnnph.exe
4088	Eehicoel.exe
4304	Enpmld32.exe
3112	Ekdnei32.exe
2396	Fflohaij.exe
3260	Fbbpmb32.exe
3916	Fpgpgfmh.exe
3592	Fmkqpkla.exe
2548	Fefedmil.exe
1340	Fnnjmbpm.exe
1576	Fbjena32.exe
4440	Gblbca32.exe
2660	Gifkpknp.exe
3648	Gncchb32.exe
668	Gihgfk32.exe
4296	Gbalopbn.exe
724	Geohklaa.exe
3472	Goglcahb.exe
1864	Gfodeohd.exe
3436	Gmimai32.exe
4540	Gbeejp32.exe
1172	Hipmfjee.exe
4364	Hlnjbedi.exe
1048	Hbhboolf.exe
3460	Hibjli32.exe
1936	Hmpcbhji.exe
1040	Hblkjo32.exe
4084	Hekgfj32.exe
3696	Hlepcdoa.exe
2424	Hoclopne.exe
2568	Hiipmhmk.exe
2796	Hlglidlo.exe
4360	Ibaeen32.exe
1424	Iikmbh32.exe
3608	Ipeeobbe.exe
372	Ibcaknbi.exe
1972	Iinjhh32.exe
388	Illfdc32.exe
1392	Iojbpo32.exe
2356	Iipfmggc.exe
3396	Ilnbicff.exe
4124	Igdgglfl.exe
1840	Imnocf32.exe
2360	Iplkpa32.exe
5040	Ieidhh32.exe
3288	Joahqn32.exe
1756	Jiglnf32.exe
2352	Jpaekqhh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bkgeainn.exe	Bdmmeo32.exe
File opened for modification	C:\Windows\SysWOW64\Ogekbb32.exe	Oakbehfe.exe
File opened for modification	C:\Windows\SysWOW64\Aokkahlo.exe	Amlogfel.exe
File created	C:\Windows\SysWOW64\Filclgic.dll	Gfodeohd.exe
File created	C:\Windows\SysWOW64\Nggnadib.exe	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Jihiic32.dll	Nmbjcljl.exe
File created	C:\Windows\SysWOW64\Geohklaa.exe	Gbalopbn.exe
File opened for modification	C:\Windows\SysWOW64\Geohklaa.exe	Gbalopbn.exe
File opened for modification	C:\Windows\SysWOW64\Jphkkpbp.exe	Jllokajf.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Imnocf32.exe	Igdgglfl.exe
File created	C:\Windows\SysWOW64\Moipoh32.exe	Mmkdcm32.exe
File created	C:\Windows\SysWOW64\Hicakqhn.dll	Kcidmkpq.exe
File created	C:\Windows\SysWOW64\Mnegbp32.exe	Mgloefco.exe
File opened for modification	C:\Windows\SysWOW64\Iipfmggc.exe	Iojbpo32.exe
File opened for modification	C:\Windows\SysWOW64\Jcoaglhk.exe	Jpaekqhh.exe
File created	C:\Windows\SysWOW64\Bpmhce32.dll	Enigke32.exe
File created	C:\Windows\SysWOW64\Bhpofl32.exe	Baegibae.exe
File opened for modification	C:\Windows\SysWOW64\Eehicoel.exe	Eiahnnph.exe
File created	C:\Windows\SysWOW64\Pkoaeldi.dll	Bhpofl32.exe
File created	C:\Windows\SysWOW64\Oidalg32.dll	Dmcain32.exe
File created	C:\Windows\SysWOW64\Enigke32.exe	Ekkkoj32.exe
File opened for modification	C:\Windows\SysWOW64\Chkobkod.exe	Cnfkdb32.exe
File created	C:\Windows\SysWOW64\Cdbpgl32.exe	Cacckp32.exe
File opened for modification	C:\Windows\SysWOW64\Klhnfo32.exe	Kodnmkap.exe
File created	C:\Windows\SysWOW64\Ogekbb32.exe	Oakbehfe.exe
File opened for modification	C:\Windows\SysWOW64\Hoclopne.exe	Hlepcdoa.exe
File opened for modification	C:\Windows\SysWOW64\Llodgnja.exe	Lgbloglj.exe
File created	C:\Windows\SysWOW64\Cdmfllhn.exe	Caojpaij.exe
File opened for modification	C:\Windows\SysWOW64\Dnbakghm.exe	Ddjmba32.exe
File created	C:\Windows\SysWOW64\Hekgfj32.exe	Hblkjo32.exe
File created	C:\Windows\SysWOW64\Jjpode32.exe	Jgbchj32.exe
File created	C:\Windows\SysWOW64\Lmjhab32.dll	Jjpode32.exe
File created	C:\Windows\SysWOW64\Gmbjqfjb.dll	Npgmpf32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dhbebj32.exe
File opened for modification	C:\Windows\SysWOW64\Gifkpknp.exe	Gblbca32.exe
File created	C:\Windows\SysWOW64\Jgpfbjlo.exe	Jilfifme.exe
File opened for modification	C:\Windows\SysWOW64\Dhphmj32.exe	Dpiplm32.exe
File opened for modification	C:\Windows\SysWOW64\Conanfli.exe	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Hcjnlmph.dll	Dafppp32.exe
File created	C:\Windows\SysWOW64\Jllokajf.exe	Jgpfbjlo.exe
File created	C:\Windows\SysWOW64\Knnhjcog.exe	Kcidmkpq.exe
File created	C:\Windows\SysWOW64\Oppceehj.dll	Nqbpojnp.exe
File created	C:\Windows\SysWOW64\Npgmpf32.exe	Nnfpinmi.exe
File created	C:\Windows\SysWOW64\Ocoaob32.dll	Fbjena32.exe
File created	C:\Windows\SysWOW64\Pqknpl32.dll	Hbhboolf.exe
File created	C:\Windows\SysWOW64\Hbobhb32.dll	Aonhghjl.exe
File opened for modification	C:\Windows\SysWOW64\Igdgglfl.exe	Ilnbicff.exe
File created	C:\Windows\SysWOW64\Adfonlkp.dll	Jmeede32.exe
File created	C:\Windows\SysWOW64\Ifolcq32.dll	Mgloefco.exe
File created	C:\Windows\SysWOW64\Goglcahb.exe	Geohklaa.exe
File opened for modification	C:\Windows\SysWOW64\Hmpcbhji.exe	Hibjli32.exe
File opened for modification	C:\Windows\SysWOW64\Cdimqm32.exe	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Cacckp32.exe	Coegoe32.exe
File opened for modification	C:\Windows\SysWOW64\Kjeiodek.exe	Kckqbj32.exe
File created	C:\Windows\SysWOW64\Domdocba.dll	Boihcf32.exe
File opened for modification	C:\Windows\SysWOW64\Ahfmpnql.exe	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Fmkqpkla.exe	Fpgpgfmh.exe
File opened for modification	C:\Windows\SysWOW64\Mnmmboed.exe	Mfchlbfd.exe
File created	C:\Windows\SysWOW64\Iipfmggc.exe	Iojbpo32.exe
File created	C:\Windows\SysWOW64\Dnbakghm.exe	Ddjmba32.exe
File created	C:\Windows\SysWOW64\Cboeai32.dll	Dngjff32.exe
File created	C:\Windows\SysWOW64\Eiahnnph.exe	Eoideh32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbjcljl.exe	Mfhbga32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6388	6292	WerFault.exe	254

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1046b4d1eb86f730f947d0c1ffed6a971e3c3fa7b4186a5044a25f44b307024b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbeejp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpenegb.dll"	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijikdfig.dll"	Amlogfel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqknpl32.dll"	Hbhboolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcnfohmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npgmpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blqhpg32.dll"	Nceefd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahfmpnql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iojbpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jphkkpbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhfhgch.dll"	Kodnmkap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobhb32.dll"	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekppjn32.dll"	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejhdfi32.dll"	Illfdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikmbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmpga32.dll"	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjnlmph.dll"	Dafppp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhclmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnbgc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlepcdoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hoclopne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdciiec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lflbkcll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kioghlbd.dll"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmkdcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onapdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fefedmil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllokajf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddedlaq.dll"	Kfpcoefj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfpcoefj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dolqpa32.dll"	Llodgnja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lqojclne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjieo32.dll"	Bpdnjple.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfiplog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgihjf32.dll"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Appfnncn.dll"	Kpmdfonj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kodnmkap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjfln32.dll"	Mqdcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opclldhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhmbqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnbakghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnfpinmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oplfkeob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogekbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieidhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbjkgmg.dll"	Jcanll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phajna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1046b4d1eb86f730f947d0c1ffed6a971e3c3fa7b4186a5044a25f44b307024b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhclmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hekgfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcoaglhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oakbehfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imnocf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpiplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eiahnnph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfiop32.dll"	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilnbicff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjdpelnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icinkkcp.dll"	Dhclmp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 4164	2600	1046b4d1eb86f730f947d0c1ffed6a971e3c3fa7b4186a5044a25f44b307024b.exe	82
PID 2600 wrote to memory of 4164	2600	1046b4d1eb86f730f947d0c1ffed6a971e3c3fa7b4186a5044a25f44b307024b.exe	82
PID 2600 wrote to memory of 4164	2600	1046b4d1eb86f730f947d0c1ffed6a971e3c3fa7b4186a5044a25f44b307024b.exe	82
PID 4164 wrote to memory of 5048	4164	Cnindhpg.exe	83
PID 4164 wrote to memory of 5048	4164	Cnindhpg.exe	83
PID 4164 wrote to memory of 5048	4164	Cnindhpg.exe	83
PID 5048 wrote to memory of 2188	5048	Chnbbqpn.exe	85
PID 5048 wrote to memory of 2188	5048	Chnbbqpn.exe	85
PID 5048 wrote to memory of 2188	5048	Chnbbqpn.exe	85
PID 2188 wrote to memory of 2500	2188	Cdecgbfa.exe	86
PID 2188 wrote to memory of 2500	2188	Cdecgbfa.exe	86
PID 2188 wrote to memory of 2500	2188	Cdecgbfa.exe	86
PID 2500 wrote to memory of 2148	2500	Dnmhpg32.exe	87
PID 2500 wrote to memory of 2148	2500	Dnmhpg32.exe	87
PID 2500 wrote to memory of 2148	2500	Dnmhpg32.exe	87
PID 2148 wrote to memory of 3928	2148	Dhclmp32.exe	88
PID 2148 wrote to memory of 3928	2148	Dhclmp32.exe	88
PID 2148 wrote to memory of 3928	2148	Dhclmp32.exe	88
PID 3928 wrote to memory of 1500	3928	Dkahilkl.exe	89
PID 3928 wrote to memory of 1500	3928	Dkahilkl.exe	89
PID 3928 wrote to memory of 1500	3928	Dkahilkl.exe	89
PID 1500 wrote to memory of 3308	1500	Ddjmba32.exe	90
PID 1500 wrote to memory of 3308	1500	Ddjmba32.exe	90
PID 1500 wrote to memory of 3308	1500	Ddjmba32.exe	90
PID 3308 wrote to memory of 1700	3308	Dnbakghm.exe	92
PID 3308 wrote to memory of 1700	3308	Dnbakghm.exe	92
PID 3308 wrote to memory of 1700	3308	Dnbakghm.exe	92
PID 1700 wrote to memory of 1196	1700	Dmcain32.exe	93
PID 1700 wrote to memory of 1196	1700	Dmcain32.exe	93
PID 1700 wrote to memory of 1196	1700	Dmcain32.exe	93
PID 1196 wrote to memory of 3656	1196	Dndnpf32.exe	94
PID 1196 wrote to memory of 3656	1196	Dndnpf32.exe	94
PID 1196 wrote to memory of 3656	1196	Dndnpf32.exe	94
PID 3656 wrote to memory of 1436	3656	Dmennnni.exe	95
PID 3656 wrote to memory of 1436	3656	Dmennnni.exe	95
PID 3656 wrote to memory of 1436	3656	Dmennnni.exe	95
PID 1436 wrote to memory of 4956	1436	Dngjff32.exe	96
PID 1436 wrote to memory of 4956	1436	Dngjff32.exe	96
PID 1436 wrote to memory of 4956	1436	Dngjff32.exe	96
PID 4956 wrote to memory of 2192	4956	Dfnbgc32.exe	97
PID 4956 wrote to memory of 2192	4956	Dfnbgc32.exe	97
PID 4956 wrote to memory of 2192	4956	Dfnbgc32.exe	97
PID 2192 wrote to memory of 1292	2192	Ekkkoj32.exe	98
PID 2192 wrote to memory of 1292	2192	Ekkkoj32.exe	98
PID 2192 wrote to memory of 1292	2192	Ekkkoj32.exe	98
PID 1292 wrote to memory of 4588	1292	Enigke32.exe	99
PID 1292 wrote to memory of 4588	1292	Enigke32.exe	99
PID 1292 wrote to memory of 4588	1292	Enigke32.exe	99
PID 4588 wrote to memory of 3804	4588	Eoideh32.exe	100
PID 4588 wrote to memory of 3804	4588	Eoideh32.exe	100
PID 4588 wrote to memory of 3804	4588	Eoideh32.exe	100
PID 3804 wrote to memory of 4088	3804	Eiahnnph.exe	101
PID 3804 wrote to memory of 4088	3804	Eiahnnph.exe	101
PID 3804 wrote to memory of 4088	3804	Eiahnnph.exe	101
PID 4088 wrote to memory of 4304	4088	Eehicoel.exe	102
PID 4088 wrote to memory of 4304	4088	Eehicoel.exe	102
PID 4088 wrote to memory of 4304	4088	Eehicoel.exe	102
PID 4304 wrote to memory of 3112	4304	Enpmld32.exe	103
PID 4304 wrote to memory of 3112	4304	Enpmld32.exe	103
PID 4304 wrote to memory of 3112	4304	Enpmld32.exe	103
PID 3112 wrote to memory of 2396	3112	Ekdnei32.exe	104
PID 3112 wrote to memory of 2396	3112	Ekdnei32.exe	104
PID 3112 wrote to memory of 2396	3112	Ekdnei32.exe	104
PID 2396 wrote to memory of 3260	2396	Fflohaij.exe	105

C:\Users\Admin\AppData\Local\Temp\1046b4d1eb86f730f947d0c1ffed6a971e3c3fa7b4186a5044a25f44b307024b.exe
"C:\Users\Admin\AppData\Local\Temp\1046b4d1eb86f730f947d0c1ffed6a971e3c3fa7b4186a5044a25f44b307024b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\SysWOW64\Cnindhpg.exe
  C:\Windows\system32\Cnindhpg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\SysWOW64\Chnbbqpn.exe
    C:\Windows\system32\Chnbbqpn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\Cdecgbfa.exe
      C:\Windows\system32\Cdecgbfa.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\SysWOW64\Dnmhpg32.exe
        
        C:\Windows\system32\Dnmhpg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\SysWOW64\Dhclmp32.exe
        
        C:\Windows\system32\Dhclmp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Dkahilkl.exe
        
        C:\Windows\system32\Dkahilkl.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Ddjmba32.exe
        
        C:\Windows\system32\Ddjmba32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Dnbakghm.exe
        
        C:\Windows\system32\Dnbakghm.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\Dmcain32.exe
        
        C:\Windows\system32\Dmcain32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Dndnpf32.exe
        
        C:\Windows\system32\Dndnpf32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Dmennnni.exe
        
        C:\Windows\system32\Dmennnni.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3656
        
        C:\Windows\SysWOW64\Dngjff32.exe
        
        C:\Windows\system32\Dngjff32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Dfnbgc32.exe
        
        C:\Windows\system32\Dfnbgc32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Ekkkoj32.exe
        
        C:\Windows\system32\Ekkkoj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Enigke32.exe
        
        C:\Windows\system32\Enigke32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Eoideh32.exe
        
        C:\Windows\system32\Eoideh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Eiahnnph.exe
        
        C:\Windows\system32\Eiahnnph.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Eehicoel.exe
        
        C:\Windows\system32\Eehicoel.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\Ekdnei32.exe
        
        C:\Windows\system32\Ekdnei32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Fflohaij.exe
        
        C:\Windows\system32\Fflohaij.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        23⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Windows\SysWOW64\Fpgpgfmh.exe
        
        C:\Windows\system32\Fpgpgfmh.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3916
        
        C:\Windows\SysWOW64\Fmkqpkla.exe
        
        C:\Windows\system32\Fmkqpkla.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Fefedmil.exe
        
        C:\Windows\system32\Fefedmil.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Fnnjmbpm.exe
        
        C:\Windows\system32\Fnnjmbpm.exe
        27⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\Fbjena32.exe
        
        C:\Windows\system32\Fbjena32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\Gblbca32.exe
        
        C:\Windows\system32\Gblbca32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Gifkpknp.exe
        
        C:\Windows\system32\Gifkpknp.exe
        30⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\Gncchb32.exe
        
        C:\Windows\system32\Gncchb32.exe
        31⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Gihgfk32.exe
        
        C:\Windows\system32\Gihgfk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:668
        
        C:\Windows\SysWOW64\Gbalopbn.exe
        
        C:\Windows\system32\Gbalopbn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Geohklaa.exe
        
        C:\Windows\system32\Geohklaa.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:724
        
        C:\Windows\SysWOW64\Goglcahb.exe
        
        C:\Windows\system32\Goglcahb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\Gfodeohd.exe
        
        C:\Windows\system32\Gfodeohd.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\Gmimai32.exe
        
        C:\Windows\system32\Gmimai32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Gbeejp32.exe
        
        C:\Windows\system32\Gbeejp32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Hipmfjee.exe
        
        C:\Windows\system32\Hipmfjee.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\Hlnjbedi.exe
        
        C:\Windows\system32\Hlnjbedi.exe
        40⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Hibjli32.exe
        
        C:\Windows\system32\Hibjli32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\Hmpcbhji.exe
        
        C:\Windows\system32\Hmpcbhji.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1936
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\Hekgfj32.exe
        
        C:\Windows\system32\Hekgfj32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\Hoclopne.exe
        
        C:\Windows\system32\Hoclopne.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Hiipmhmk.exe
        
        C:\Windows\system32\Hiipmhmk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2568
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        49⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\Ibaeen32.exe
        
        C:\Windows\system32\Ibaeen32.exe
        50⤵
        Executes dropped EXE
        
        PID:4360
        
        C:\Windows\SysWOW64\Iikmbh32.exe
        
        C:\Windows\system32\Iikmbh32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\Ipeeobbe.exe
        
        C:\Windows\system32\Ipeeobbe.exe
        52⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Iinjhh32.exe
        
        C:\Windows\system32\Iinjhh32.exe
        54⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Iipfmggc.exe
        
        C:\Windows\system32\Iipfmggc.exe
        57⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\SysWOW64\Ilnbicff.exe
        
        C:\Windows\system32\Ilnbicff.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Igdgglfl.exe
        
        C:\Windows\system32\Igdgglfl.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4124
        
        C:\Windows\SysWOW64\Imnocf32.exe
        
        C:\Windows\system32\Imnocf32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Iplkpa32.exe
        
        C:\Windows\system32\Iplkpa32.exe
        61⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\Ieidhh32.exe
        
        C:\Windows\system32\Ieidhh32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Joahqn32.exe
        
        C:\Windows\system32\Joahqn32.exe
        63⤵
        Executes dropped EXE
        
        PID:3288
        
        C:\Windows\SysWOW64\Jiglnf32.exe
        
        C:\Windows\system32\Jiglnf32.exe
        64⤵
        Executes dropped EXE
        
        PID:1756
        
        C:\Windows\SysWOW64\Jpaekqhh.exe
        
        C:\Windows\system32\Jpaekqhh.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Jiiicf32.exe
        
        C:\Windows\system32\Jiiicf32.exe
        67⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\Jmeede32.exe
        
        C:\Windows\system32\Jmeede32.exe
        68⤵
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Jilfifme.exe
        
        C:\Windows\system32\Jilfifme.exe
        70⤵
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Jgpfbjlo.exe
        
        C:\Windows\system32\Jgpfbjlo.exe
        71⤵
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Jllokajf.exe
        
        C:\Windows\system32\Jllokajf.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Jphkkpbp.exe
        
        C:\Windows\system32\Jphkkpbp.exe
        73⤵
        Modifies registry class
        
        PID:4152
        
        C:\Windows\SysWOW64\Jgbchj32.exe
        
        C:\Windows\system32\Jgbchj32.exe
        74⤵
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        75⤵
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\Jlolpq32.exe
        
        C:\Windows\system32\Jlolpq32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3636
        
        C:\Windows\SysWOW64\Kcidmkpq.exe
        
        C:\Windows\system32\Kcidmkpq.exe
        77⤵
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        78⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        79⤵
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Kckqbj32.exe
        
        C:\Windows\system32\Kckqbj32.exe
        80⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Kjeiodek.exe
        
        C:\Windows\system32\Kjeiodek.exe
        81⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\Kpoalo32.exe
        
        C:\Windows\system32\Kpoalo32.exe
        82⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Kcmmhj32.exe
        
        C:\Windows\system32\Kcmmhj32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:468
        
        C:\Windows\SysWOW64\Kflide32.exe
        
        C:\Windows\system32\Kflide32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4860
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        85⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Kodnmkap.exe
        
        C:\Windows\system32\Kodnmkap.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Klhnfo32.exe
        
        C:\Windows\system32\Klhnfo32.exe
        87⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\Kfpcoefj.exe
        
        C:\Windows\system32\Kfpcoefj.exe
        88⤵
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Lcdciiec.exe
        
        C:\Windows\system32\Lcdciiec.exe
        89⤵
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Lfbped32.exe
        
        C:\Windows\system32\Lfbped32.exe
        90⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1580
        
        C:\Windows\SysWOW64\Lgbloglj.exe
        
        C:\Windows\system32\Lgbloglj.exe
        92⤵
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\Llodgnja.exe
        
        C:\Windows\system32\Llodgnja.exe
        93⤵
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Lcnfohmi.exe
        
        C:\Windows\system32\Lcnfohmi.exe
        95⤵
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Lflbkcll.exe
        
        C:\Windows\system32\Lflbkcll.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        98⤵
        
        PID:392
        
        C:\Windows\SysWOW64\Mqdcnl32.exe
        
        C:\Windows\system32\Mqdcnl32.exe
        99⤵
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Mmkdcm32.exe
        
        C:\Windows\system32\Mmkdcm32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2392
        
        C:\Windows\SysWOW64\Mfchlbfd.exe
        
        C:\Windows\system32\Mfchlbfd.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\Mnmmboed.exe
        
        C:\Windows\system32\Mnmmboed.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1012
        
        C:\Windows\SysWOW64\Mfhbga32.exe
        
        C:\Windows\system32\Mfhbga32.exe
        104⤵
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Nmbjcljl.exe
        
        C:\Windows\system32\Nmbjcljl.exe
        105⤵
        Drops file in System32 directory
        
        PID:4480
        
        C:\Windows\SysWOW64\Nggnadib.exe
        
        C:\Windows\system32\Nggnadib.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5160
        
        C:\Windows\SysWOW64\Npbceggm.exe
        
        C:\Windows\system32\Npbceggm.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Nqbpojnp.exe
        
        C:\Windows\system32\Nqbpojnp.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Nnfpinmi.exe
        
        C:\Windows\system32\Nnfpinmi.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Npgmpf32.exe
        
        C:\Windows\system32\Npgmpf32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Nceefd32.exe
        
        C:\Windows\system32\Nceefd32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Oplfkeob.exe
        
        C:\Windows\system32\Oplfkeob.exe
        112⤵
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Onmfimga.exe
        
        C:\Windows\system32\Onmfimga.exe
        113⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Oakbehfe.exe
        
        C:\Windows\system32\Oakbehfe.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Opqofe32.exe
        
        C:\Windows\system32\Opqofe32.exe
        116⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        117⤵
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Opclldhj.exe
        
        C:\Windows\system32\Opclldhj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        119⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        120⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Phajna32.exe
        
        C:\Windows\system32\Phajna32.exe
        121⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Pjpfjl32.exe
        
        C:\Windows\system32\Pjpfjl32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        123⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Paiogf32.exe
        
        C:\Windows\system32\Paiogf32.exe
        124⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Pjdpelnc.exe
        
        C:\Windows\system32\Pjdpelnc.exe
        126⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Qmeigg32.exe
        
        C:\Windows\system32\Qmeigg32.exe
        127⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        129⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        130⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Ahmjjoig.exe
        
        C:\Windows\system32\Ahmjjoig.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Akkffkhk.exe
        
        C:\Windows\system32\Akkffkhk.exe
        132⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\Aphnnafb.exe
        
        C:\Windows\system32\Aphnnafb.exe
        133⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        134⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Amlogfel.exe
        
        C:\Windows\system32\Amlogfel.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Aokkahlo.exe
        
        C:\Windows\system32\Aokkahlo.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5680
        
        C:\Windows\SysWOW64\Ahdpjn32.exe
        
        C:\Windows\system32\Ahdpjn32.exe
        137⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5952
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        141⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        143⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Bpdnjple.exe
        
        C:\Windows\system32\Bpdnjple.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        145⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        146⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        147⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        148⤵
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        149⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Baegibae.exe
        
        C:\Windows\system32\Baegibae.exe
        150⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Boihcf32.exe
        
        C:\Windows\system32\Boihcf32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        155⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        156⤵
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\Conanfli.exe
        
        C:\Windows\system32\Conanfli.exe
        157⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        158⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5716
        
        C:\Windows\SysWOW64\Caojpaij.exe
        
        C:\Windows\system32\Caojpaij.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Cnfkdb32.exe
        
        C:\Windows\system32\Cnfkdb32.exe
        162⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Chkobkod.exe
        
        C:\Windows\system32\Chkobkod.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5704
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        164⤵
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        165⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Cdbpgl32.exe
        
        C:\Windows\system32\Cdbpgl32.exe
        166⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Dafppp32.exe
        
        C:\Windows\system32\Dafppp32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Dpiplm32.exe
        
        C:\Windows\system32\Dpiplm32.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        169⤵
        Drops file in System32 directory
        
        PID:6148
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        170⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Dhbebj32.exe
        
        C:\Windows\system32\Dhbebj32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6252
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        172⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 408
        173⤵
        Program crash
        
        PID:6388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 6292 -ip 6292
1⤵
PID:6364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aokkahlo.exe

Filesize
135KB

MD5
49af362210f4365c749383efd41aa831

SHA1
45fb194fe8406146ef8253375852d114ef6676f4

SHA256
dc792f132af7331cf7e67a44af393340b584465799fd63100721e0ac8436c5bd

SHA512
d0de77433b98b42437df926cf87a1e977fb0c221d4a6c5d8af041e88e937ce9421b557b869da442dd21cebd1914dfec2ce29d0ecbb35058cf12c6ee3550f4a70

Download Submit
C:\Windows\SysWOW64\Aonhghjl.exe

Filesize
135KB

MD5
839394d898266565a3da7b2829d22b43

SHA1
2972e3af49f3ca24a3a86f87059f4c39c15dec27

SHA256
21c4591e2adee237f927627d3aeb376003b9441234d8f2f1940a730e683bc8cc

SHA512
07863bd83f18ed8b1e43f73585f2efa5c18dc476822d9b1609d9b813701a1e476a8b358d6dcdf6192f846c2161b43981f7ad3a970032b2f968222a1ab13beb45

Download Submit
C:\Windows\SysWOW64\Bpdnjple.exe

Filesize
135KB

MD5
5b36b4a05c9ad03762bc80d8b7c13756

SHA1
317a96fc57a2469ef0c2cbbd48df3a29d532dcda

SHA256
8d1ef6b2994d2cc6e05c2761c550d7b782a22c693f35833df9af9ec60eb4e407

SHA512
f96ed10191684706575447608cab270cb0f3d0e585f837cdb78993e697924cd00e909a21b3e422943e34245f4905b7d80181dce20e10e32d216ff56ac815fc33

Download Submit
C:\Windows\SysWOW64\Cdecgbfa.exe

Filesize
135KB

MD5
b9ab1bfcba2f4f8822b1abb1d4ab2d0c

SHA1
e6ef5f65e912b79cb4c5d6ea40ec154c8b004f8e

SHA256
3d7bfd42ece67d2704e7a282e63129bcc78de75ec28892ef001b5f385fc9b986

SHA512
071b3f006d2d33eb934c7d5065a793b67bced7e5799dbaee0d4bfd0970d6347a62053b0ce90c6ca83031788b10dd65a5692f71d174610fc9f2c0c143e124f63c

Download Submit
C:\Windows\SysWOW64\Cdkifmjq.exe

Filesize
135KB

MD5
bb73e0f518b268a291a93bf8a5fce77b

SHA1
b519434071a1ec1a0dc413118a2849aa6f7ec144

SHA256
b5674447adadb0ca820111e773da6b31b906df990f1168ba535d9c7cb03b66e4

SHA512
2cf443caf9a9eb0566aeaf342740966e70fbdf69687b305a3cca42afc634f155809c9b7e0681d5ad6009c79bc1ed1431d089720df89e1e8df5970e033ff04a8b

Download Submit
C:\Windows\SysWOW64\Chnbbqpn.exe

Filesize
135KB

MD5
160e47529c633d2979e5b8b26226eb55

SHA1
e79c068c110858984a08f1dff238ad8a3b5d9621

SHA256
fe10316269c0b53364e709e1b630dd3ac5e31a7a0e4bc4016a2e53803f1de239

SHA512
83f7c5f4773d6076862b6f2440c6d60b78c78712bb9cc77bd5f081c8e39bdd5f58f6707fb818cc63e8c5c7d7785e54a93e06005705a73bf377738299b301ef2c

Download Submit
C:\Windows\SysWOW64\Cnfkdb32.exe

Filesize
135KB

MD5
48d0ad0576fc118499470687ddf3ba55

SHA1
18cc7191f0e2127991963ef55cb075857ced905b

SHA256
71211960b5be867c0224399ea4271b32159ed6d9dd9a43e309cd809983a9865a

SHA512
83ace3b27145ee7ff336540934277e2c9920d5f4eb7d0f30e27214d137a81df65d48b5a1d8447467907ec250d10e8112c0ba8be10b94ab94091010aba039f0f5

Download Submit
C:\Windows\SysWOW64\Cnindhpg.exe

Filesize
135KB

MD5
5983b9bff28e003c67e43edc25b05b41

SHA1
ac74bbad8c26a51402f04898f2751208b02ed1d9

SHA256
787a70bf92694e0c702441eb1f599146f3c31736aba6659515e8be7b0b784296

SHA512
5aed730bd9367e87f1f9d975c57effa5b681a83579517299182c42245714022176c0ae747ad15600768ed3460ede0c02a8c0f79284ac204f947cd7716c80b33d

Download Submit
C:\Windows\SysWOW64\Ddjmba32.exe

Filesize
135KB

MD5
f0a4113bb72fb86ab152798207f8e658

SHA1
47ad8b2c45363c080007b944c27f725630868890

SHA256
ef7fb03999ab194869133496ad90a307896d71a2053df3e95ce4ac615858885c

SHA512
e86d5ba669962806ce1baec8ea0e2ab6ab3352500f71f7b3846d3f42e3227402cfaf212c31fe93206d2b1d0db1ff9f4c17f7a84286f64cb553f61eff916e4dbe

Download Submit
C:\Windows\SysWOW64\Dfnbgc32.exe

Filesize
135KB

MD5
ed3931eb820c9c17952a115e1f0044ac

SHA1
c884f2c8170fbd5899012d607f2bab2db657d46a

SHA256
5bf280ae12a68d30fcfa596a1bf3fca17d581f950181c885e888055a6dec118a

SHA512
f0b41c5d4b2efff7b517a95a382dbba735dfe4f8a66833ee28263b337d34981daa4093582a90e8c0407339aa6ac9eee4a3d9a1e16b56aee515b8fb9002270c04

Download Submit
C:\Windows\SysWOW64\Dhbebj32.exe

Filesize
135KB

MD5
32796eac3cdaa48f67c9b8b4f7f88c32

SHA1
7708c5c4f82f30b8294ff20ec4d05e67440ddf40

SHA256
3f270d5788ded8c6f30f47ac4c3092d91415359cae98efc3e934d02002fbfed2

SHA512
b998f162e35dbc2d8fdd0ed198c3b70e8711924f887430640611b2547cafd1e9178413122754b8ec509133c366e4a21ae35ded107f5e16b1bdd41b75881460a4

Download Submit
C:\Windows\SysWOW64\Dhclmp32.exe

Filesize
135KB

MD5
bb5286fbadc3e261b11765ede52d923b

SHA1
f14f28e0e6b1622ff4388e0713a71c4aa0547bf7

SHA256
29629601f24f3ad243dac84e5159cb7c7254ae269f6b6aa837eacbde3fdaa33e

SHA512
05411488f0575bf2976008d99f1d2002855e06fa8eef3b8ff0542c4d3da6a2b6de8e0090b476119b5ec0d7edb0703f976b8beb6193aad4c6320214af54309971

Download Submit
C:\Windows\SysWOW64\Dkahilkl.exe

Filesize
135KB

MD5
bfa6a29c8b8fe471fa3aaa8f19cb26c9

SHA1
c7f9d027e943c68cded3614726c487f08b44a338

SHA256
f54af418fdcea3390811510cf0b9c3f4b6a669898cead777d357a94cb6c36dba

SHA512
2a4920dbd3dcb152f003ef6cf420b90f3ac6f5c79831f3b9eae2e17da4d31cb7f441c1440f6a32e7d9b56189de504a34f2fc6f857aafcbf757649c0d3035d5d2

Download Submit
C:\Windows\SysWOW64\Dmcain32.exe

Filesize
135KB

MD5
f5d64f3048fdabe14200197132d213f5

SHA1
b1421dd286fa783a57d659d5b3ee98b30dd1051f

SHA256
27e0af576b798864e9c1effa744fdfc85af887d010959e932a048b5e01c02408

SHA512
3f434e02b86d2b57ceeeb646ec2a0a58922ad4962c3f2539ad037100336ff6eee49e1675d998e527e36ca88de14e698d0a7c93bd88405c7ab60d9c5af12f10c5

Download Submit
C:\Windows\SysWOW64\Dmennnni.exe

Filesize
135KB

MD5
b63d36f87cdefc12483b9dc5bdbaaefa

SHA1
b6279349897c8375f47ae175c6cc3218c1dc9126

SHA256
df9c3629cabf6557a5429ba02f492ccb11180b7e2ffa2f2e5f7df84edc299297

SHA512
58604bd96d09da98dd24829ca70fede17bd986a09961990aa3972bad5f439dfc8082b88a6203c566be40bb9fbe6f13ed5665e76e9fdbc6357b6b4cd1d0b55725

Download Submit
C:\Windows\SysWOW64\Dnbakghm.exe

Filesize
135KB

MD5
5ca8f823636d8e18d0c98150bc6425a9

SHA1
77174639d90e007d968ed8897ea2b6d49686ed73

SHA256
7b78c8693cac7842f841e2c479913cba67773361d95d1368e0a8c67733884c94

SHA512
c354b5bfb3018a211268d423d22dc73271b7a5bde8927fe5a6c808f076744322ebf456bc8f5cee1bfaac26a4d9a1008237c6ebe05113e5f6acbe49a2e2b1e6bc

Download Submit
C:\Windows\SysWOW64\Dndnpf32.exe

Filesize
135KB

MD5
33baf65c70e3fdef9896b14c5b75b0a1

SHA1
9bd95c1e4f1583bf8b73e9f1a3aac4df672eca08

SHA256
7d25632164cbd849dfb370a400abbf50e41e30a33222e18299e6e16f1e3b6d95

SHA512
4f9bdcbf4c6409ace477718ab5fe49c96cdd31323050ec4c7839c197ae6051e8229c3c02bc5d412e17dfd869ce3f07b8b2ac2afebab3430c6fac9663ac829d6a

Download Submit
C:\Windows\SysWOW64\Dngjff32.exe

Filesize
135KB

MD5
21f68319b076323f86c34854573d89d9

SHA1
f18bbceccdfbc571c6b96e59dad4e3b95068dc48

SHA256
c7faec463424d5937e5e748ce8927e44b1296de9a82af5133f3fcc2b720ebb28

SHA512
22aa512bf1c5b73fbf661e64f04b32813a33ebd690486b13f1e72838a501b2f7bd9207a444d63fe41059876d00db2a0f091a05dcbf02a2c8633355eecb2d3be4

Download Submit
C:\Windows\SysWOW64\Dnmhpg32.exe

Filesize
135KB

MD5
4919028de6de7c698e1bf9978ed21a05

SHA1
c4712b9aafeae67e83ee4ee983f3e1b604aa0745

SHA256
290b89f9fa3c06201006ea2b6a5da488a2dc3e8dbfcfe0f50a235207222435c8

SHA512
08a2ec9e1f19da66060b3cbd5d370d321408f430656e6ccefcf95a17580005e56d706f62af3c44d899af3948e4e0f69ef9c68ef41f07a9d65ac468faee9627c9

Download Submit
C:\Windows\SysWOW64\Eehicoel.exe

Filesize
135KB

MD5
83ed5b7e06ed05b20333edacc001b2e6

SHA1
ed8ab8b12e8b6208d4b123ec84af15a8f43b29b6

SHA256
18f0456381e2e01c004e0ee8362342759f1b05da8a9c20785798747ed777b3a5

SHA512
29afd03632365a0147085dd5345a6c4795af027c6b4868a0cd22da1082fd7cfc2ea1a26dda2d7cc75840bf8c98fdd710a5a2fdd1cc2a3a0fd026afae1115622e

Download Submit
C:\Windows\SysWOW64\Eiahnnph.exe

Filesize
135KB

MD5
26aa1c719a14cba1fafaa085ab721dca

SHA1
0f3ad2ce768ce9cbbf3a0dbc5d3abd125e863dfc

SHA256
f3b74b161a389a940a819700f98082e797f868e0a0aba8b475604e326cec38f7

SHA512
a5dc425dfd7ed4faeb598abd7501a263baa43aaf5356383194f910b876ca7b52451d398a04bc1366e428b929189499d4a90011d94d5531fa90101f8eb460e3b8

Download Submit
C:\Windows\SysWOW64\Ekdnei32.exe

Filesize
135KB

MD5
43b436490df1b73ac9aa6d3fe4adbbe1

SHA1
6bea96554b7d7a0f79e74c4a9c53cf49d65cbd8b

SHA256
7b098bfda61f7a9b8301f3d06c08954d076943c7e6fd1fbc51175eba1349ceea

SHA512
257470356a128b38971d4d3ccbb8451a66f2a26ec0508922c2450eb75ba556b7628caa8874381d68ecf2f6103edec9775013c956c1e495c38cea7241a28178f9

Download Submit
C:\Windows\SysWOW64\Ekkkoj32.exe

Filesize
135KB

MD5
c7a5137087c89f12d5683abb3d3e6b49

SHA1
9b0bd1c81a80bec989040158b17830e5882e9dc9

SHA256
43c9a2e523cf14da529eb66ad0efafa373cbe12da1342c01f58a2074b6a72e28

SHA512
89e613b6d5ef0458d6d258441125a1f8323468c41387786481443a69a73a3f749624ce8b779f8aa9ec6d4f44175a78da0487fb172527257f29fd8e9fbe733969

Download Submit
C:\Windows\SysWOW64\Enigke32.exe

Filesize
135KB

MD5
bc66a6ba6bac795fe9326481fd069780

SHA1
d2213c0d65ba677776fdb3e5ffdf6a6e776465a4

SHA256
da2fc48b351ad4bcf2c2d6b35249d6f17c414f089b87a3489c4826eea6d7c2db

SHA512
9cb632e70c5726e52a66c89b757a163c5d16a802ca17317481a832676346f528867bdb7515c8b41ba090f6b61cff119c0ab05b975f115af54680cee849094006

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
135KB

MD5
4761173da15db5bc2cf18250acfbdca8

SHA1
5f4299858d3f4f97d6c2d89bf737c3430c29faec

SHA256
9f319f40a0258805075e78c61ba8928828c82b70f42ccd23b35748a4801dd49e

SHA512
8a4ae01430b8761812b95a525b449842bf65737ce6ac25bdb85eecf7be5cb28b529996b717de9a0d0af0935ebd7ea289acbac8f5b7f9bb041661ccc8ee1bdbb3

Download Submit
C:\Windows\SysWOW64\Eoideh32.exe

Filesize
135KB

MD5
9ae9ff00b890a5f392e1c995950ebac2

SHA1
d4e6561dbafc2e05582e010c86710db9db1bd8a4

SHA256
8b281da707c5a9b666b622027372862b79826e9b55edea955618a3e015e2a07d

SHA512
84a50dba4afd9cbaba3a25c5fc35e3ca7856a283758e0016010ee8177b8d9c70728092d6a0d7a27eb6cbb4f9abc54fca7d07c907e144b83d68e9e5423ace8597

Download Submit
C:\Windows\SysWOW64\Fbbpmb32.exe

Filesize
135KB

MD5
e07f6510389ed6fa2b7fe5164207f98a

SHA1
ec2a6fc8f0adfd3850d1902a4fb9f3d89589ec6d

SHA256
95fde93c8dc44981f40c406211aa7c4acaaaad6785ed0190789891f0aeb8f664

SHA512
a6dabe6b84d7ee500acf6d12f9106110911c595230c80f487c28f979e4b56d8c0bc883bf4160fc25b3105cfee71f1ac40e496ee16268837bc791aacd92a7552d

Download Submit
C:\Windows\SysWOW64\Fbjena32.exe

Filesize
135KB

MD5
a0a8ed85a5098776bd414ff4e05c4b4d

SHA1
02e7790da447a79f332abddf11cebe1485e870f5

SHA256
dac79a9ce9af8bc8dd9c5cb75819da573ff35630b1544e0a4639b3f95de4b4ef

SHA512
90004a67436498fcd71355a4b986f672f87fe1f9e2059a88fe01709a2fa2071b2a224213af97291b2dfef1076039c52658a5a64ea313d128ab6ee2eb95b0ee0b

Download Submit
C:\Windows\SysWOW64\Fefedmil.exe

Filesize
135KB

MD5
7fa8ae6b72deab346bd2806164a10644

SHA1
5ee0b458ff9ed654ba958d930351d3ac933a49bc

SHA256
c5d603e2a7a011c89f97d5d4c3a87ee5a9ab7c388a70271fb5bce8744b5f1c11

SHA512
6000759fdbbd3725c18efde89a4ff15b4011df377012ab606a03b938554bdf828d8504b2b7540d8eb80017e0313b894a10178b3fe45af3904b5fb6f3cba19092

Download Submit
C:\Windows\SysWOW64\Fflohaij.exe

Filesize
135KB

MD5
a1f2d3758147ea37fcfaaed9e5b00809

SHA1
b94581c6e0442e9fe4fd93d0d127891347a38021

SHA256
242de276b27f383664862914c9e7fd576fe3f3444156b7a5fcaedc558d8ecb5f

SHA512
b2f1aa4efc49b02181efdcfd2bf94667887e44e7a554a697ba2800a8b548f6f72f2a53de57ab24a68c88d0f32745958fa03d2cef231e7bf5edb07e99d95acdf7

Download Submit
C:\Windows\SysWOW64\Fmkqpkla.exe

Filesize
135KB

MD5
5b6bb1bf8212693c56284d117c97fd86

SHA1
9b1f82e6de25bbaae688881f76f9d3bc93c874b7

SHA256
51e56125bae5e83e355eafc7205fd7161612176917162fcac4c4d9ff5ea08941

SHA512
0ca26731856d09f35aa350173f9a70ed61f0f23dd01bacd31d6e2e5e6edc0a67b6d9d5928534c1c3c46c51f6a6e8a143f107a737e3a9abb9396f48c7eea0b673

Download Submit
C:\Windows\SysWOW64\Fnnjmbpm.exe

Filesize
135KB

MD5
c2cdbd3819cfa472dacee270de6ddefb

SHA1
148115e753dc1f6c8a9a2e404d065594ae265bfc

SHA256
bb684feca81ce94a8fdc737c8be6d363e7e84b92109bcaea9d33649c869df764

SHA512
3cab143e3be929f67a8ecfc824e30b80c5d50f403dd98872243202a4b42d11e65b9089c0b1edb523fa056376780512fe776991d2b303b416f8261457f07f4499

Download Submit
C:\Windows\SysWOW64\Fpgpgfmh.exe

Filesize
135KB

MD5
12e82bcb1eb97c9450de1998c03652b5

SHA1
381489afa4750a4e4e43ae6a85786548c71c4ebe

SHA256
2fcf0bb7ce93a207b42c95244e7274a59799a9b8cc7bab263521f8b83da6fc35

SHA512
cc2fe20a9abf9c8618b3bc4eca245f03de902e05de0cc9eaa1f00ac566179e986f37eff6e444e32e554962271ebe25749a18a0e95d34b76dbeb507807b832977

Download Submit
C:\Windows\SysWOW64\Gbalopbn.exe

Filesize
135KB

MD5
38b3e89c1e4c097990b0e831dd6a77a2

SHA1
c101764b0aa68711b665e75f20ba37bed693cf69

SHA256
fdf76bf5453b1420a1dcc8b1fed304813f864e60a341bbfc95a6807a35c36b68

SHA512
ce457ef95218aebe7c8f81840614dc9d11f331b56b2e0fbae2982ff98eee6c5c610af1f7bd5570b3c32b2479f0f06567a957de4e93741110eed88a162d3f16ca

Download Submit
C:\Windows\SysWOW64\Gblbca32.exe

Filesize
135KB

MD5
895ea458f8eaf4a5fc51a4f846ae98d1

SHA1
9d7c8ea4111b32c0d7016001488fd5ab636df3a3

SHA256
55f440ecec941916dab3e256954eb9bc46afefdc414791407a9d5ce406dcb7d7

SHA512
f0965b65585728d685351f63761b9a099a8573a098ea36cfe36ed1d82993262c133c5e83afecd3a6cd11601664dc2d20ed9fb52c6f661356799724f27c83801b

Download Submit
C:\Windows\SysWOW64\Gfodeohd.exe

Filesize
135KB

MD5
9b5a2832be1dd4ae9b38b32db30280f3

SHA1
30f423f4d32615f17515db3d99384b5be7c37341

SHA256
81b82c619be42de0e442a73af5812cbb6e062ea5e00bc147b5eb9b878fc04bf5

SHA512
b4c41c12e99c453e27dcfa0e43fe238fd540ae30a2e1097941e1fb962aaf9bd4369694b873207a676cfa6b0f360343716409ba7fff2516b94540d9747be8fe26

Download Submit
C:\Windows\SysWOW64\Gifkpknp.exe

Filesize
135KB

MD5
47e5d7389b970d542572a2bc70949db7

SHA1
456a8a0e1d6607290f8367167b2760b4247df610

SHA256
241d992142bb1ea79bde38623ba0055d3295242e49099c4c92be4be12590889a

SHA512
c4add72d22c1c0a113127592f01eb5356e5cd260b5c76ee178793c7da7c100991c06e41784b122546b621fe4293f15cd5749735778f7085449584eafb2741ba3

Download Submit
C:\Windows\SysWOW64\Gihgfk32.exe

Filesize
135KB

MD5
ef2e52ca2e81b7aff6413cf926b9b842

SHA1
77b5458d29cb4e3c692d6808bb3b9e786d05f989

SHA256
82dcd7df8775489739c59600081357c8249716fa1e9290c47ebcbd54962d103e

SHA512
d467f9154d141bd921dd1b6884bcc9ce1d14105d44fab7f84b87f18dd6db0bb219203d1a492ccf4954bf277adee7d718b11762c713b60d8ea0b81a8a2b8eefd2

Download Submit
C:\Windows\SysWOW64\Gncchb32.exe

Filesize
135KB

MD5
771801bec6af206178d62939e822ab34

SHA1
04cab002fd0723432266f6c41f2b6db5dfd5df89

SHA256
4636a1f8e444b4bd86e91951946ae44a91fded62569a0a082072159d7b691b75

SHA512
9f8078df1e355142dd3d8dadf9d4646d369bd51e33cc7e8e4f1d39c8789bea20d23b69cf0a49c3432c3fdcb6a5cd68dbf35db567d2449f30408ebde8e09ab6d0

Download Submit
C:\Windows\SysWOW64\Igdgglfl.exe

Filesize
135KB

MD5
f8efb049020ba2a27569cb3bf60589cb

SHA1
ee84fec60b9ee4c1af7119ce5a9f2d59462afad6

SHA256
1aaadc04cb1374623c33e22b6b16f381df53032b810b32c0b9b179a0629306dd

SHA512
948eb264ad9e64109cadd586125e89f74ff4ffb01e1b3dc10db81d016b1e549ec1a0e24a0e6d3ecc85b7ce99798ef230e4b6e6a277a2ec22c131bd272f3bb658

Download Submit
C:\Windows\SysWOW64\Jcoaglhk.exe

Filesize
135KB

MD5
d2509e084da2e82b0b4c11f312c762e1

SHA1
1cd4a8ed3f72be287265a7603493746068e15732

SHA256
2c262003773cf48b7869b8247ddc8cc86ec581d1ef6d9bd0dafe4794bf1f27f4

SHA512
30c04c08a55f8d12fb9e648b38c8258a6ac8d83efbae050b3aa2b220d924b57ae7dd2b9b3fa21fbf15a728e12602c7bda0715f1d6cbbb5ce367d2c68954ac874

Download Submit
C:\Windows\SysWOW64\Mfchlbfd.exe

Filesize
135KB

MD5
31f3d4f89bce1839c8d51972e7338480

SHA1
3472ad16b1eeda8f4234836d4f986186bb4ad4d2

SHA256
fb828f2403c27ece8a7876e985f0c6327d4a9b7cd8c4521d28b229995f0c9823

SHA512
cda14b103f82487fc16c3da881178b734c0f8dd6dbc1934191d1abf45aae6e89cffe60ac6f0f9ec93b75f10a03039dddc059046054a68d4016dad4a82868130b

Download Submit
C:\Windows\SysWOW64\Mqdcnl32.exe

Filesize
135KB

MD5
1e964067e210edeb31ad8cdbb8f23999

SHA1
561e6400bf073c29be0bfbb25489d1fb10093c57

SHA256
9c834475bd04eeb404c145b579497ddc8dcf4c565a6443493d141a9385fe669c

SHA512
78586f9f20975a039f5200881936d2469caf6570c68292a8d78ccf817e9d864a0fb300f55b0dae27a8db88ab3c486e9ebe7aa70c20461c9be29a81faa1b3b176

Download Submit
C:\Windows\SysWOW64\Nggnadib.exe

Filesize
135KB

MD5
2a9f25ad6af83fa9951a7591627a7237

SHA1
3ab0f08ea48d22b074c0e062bb463ae42524a16c

SHA256
587ed051a2f0ae18a2fcbbe0b352783e800ad2dc2435699fd9ded112d003fc0d

SHA512
d0a72dda255f09920f4fd27285d5e8adea1d4e899d9eb1eb798cf430b8b508879a2a36466eadfdd615268276ee294b70684626ecff8a73023c86c27565df45d8

Download Submit
C:\Windows\SysWOW64\Nqbpojnp.exe

Filesize
135KB

MD5
ca176a79392b4a105b4b00327ccd4cb4

SHA1
89718e0d108d073adcdeed2d88481d7e56593ff3

SHA256
cdc271a5b05fc8988e094619037c68e3ef91adb827f45b9416776fb5f389bee2

SHA512
cca809265bced81ad9a6eb524388919acb9c9d0a3be29efe5c870847850ca7ff246aa4245fb1a9efc03c318fc77cea3d90f539e2bd0045c346fce57725ecb2a6

Download Submit
C:\Windows\SysWOW64\Oplfkeob.exe

Filesize
135KB

MD5
39cc1a932197a85725550496e8174d6a

SHA1
df79a886f98c1adb71b548fa02ab0714456a7567

SHA256
c5c3c557b5dc33d7b152e7ba975c2d55dd126b48dffd4d514e5c559bc332307a

SHA512
04d0f8750390d11b8ad15e9d7db2d11bed3abdccac658d7253891fd58ce4f746bcaa357bfac8d2c8be044513f1c570a270281f45644cceee991b9e0cc35c73d5

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
135KB

MD5
ebc0a24c3847e6d72ec263badab2a3f2

SHA1
59afdfab82c04fa5c1ae5c342daa6c2de9737b1e

SHA256
fc6d6f2d7c934bf9fcb916247c2dd450cb952014b7b0d9f9f83711a3ae0e48d1

SHA512
9f44b375a495998dae30094d74cfc56524a606c54a36f462d7d1a45b3bb6d71ffe58f7aba670d2892caad7360b41c390102a6cc9a04b6774c32d7ad30ff5b5ff

Download Submit
C:\Windows\SysWOW64\Pjdpelnc.exe

Filesize
64KB

MD5
bab483ab34fb807969aa583f56413761

SHA1
730506f628b0211d676da96a5199cb653b9d9ee8

SHA256
1d3a7f0c048cc0554c6c4209e3f25bb23570aaa40377e4cde8ab5d57c5798b83

SHA512
9c293abb4400a6051e99b9496651abff8f8b7a6d3b2a9c3b891bdb273ee79accb66b8db2292f560760be35a6a9ff25465718c7423888feae388508ac688d247c

Download Submit
memory/372-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/388-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/468-564-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/668-249-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/724-263-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/832-507-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1040-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1172-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1196-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1292-120-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1340-213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1392-395-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1424-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1436-97-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1440-538-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1500-593-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1500-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1532-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1576-217-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1700-73-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1756-443-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1840-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1864-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1936-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1972-387-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2084-491-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2148-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2148-583-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2188-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2188-569-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2192-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2352-449-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-405-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2360-425-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2364-557-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2396-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2424-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-572-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2568-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2600-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2600-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2600-539-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2660-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2700-509-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2796-357-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2852-573-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2928-540-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3064-526-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3112-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3232-594-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3260-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3288-437-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3308-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3348-461-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3396-407-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3436-284-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3460-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3472-269-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3592-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3608-375-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3636-520-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3648-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3656-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3672-484-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3696-339-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3804-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3916-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3928-586-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3928-49-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4032-530-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4060-467-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4084-329-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4124-413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4152-502-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4164-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4208-551-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4296-261-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4304-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4360-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4364-303-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4440-225-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4512-587-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4540-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4588-129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4760-585-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4792-485-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4860-571-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4956-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5012-473-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5040-431-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5048-558-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5048-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads