1346f477ebefea3e05021a85b3fe428002620671bff1f2245a201b6733282e56

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1346f477ebefea3e05021a85b3fe428002620671bff1f2245a201b6733282e56.exe
Size

45KB
MD5

b17b32919e4a0cb4edf33886eb433fb9
SHA1

0fa5520bc71c9da468d0cfb0c2c028c7f3890092
SHA256

1346f477ebefea3e05021a85b3fe428002620671bff1f2245a201b6733282e56
SHA512

a5064941a040ab40129d5c89afc740a13ae7e68c987d26d0f0dde5b18653346eb6ea31f9eb402d74c82dfa982b244c3427a206516e51a8eca52806330f9d290c
SSDEEP

768:3X5ariyMw1/XMLcdN30qr3N6Dwfl/1H5:3XgmkkW30I9Dff

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dllmfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebnoikqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daifnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjflb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehekqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1346f477ebefea3e05021a85b3fe428002620671bff1f2245a201b6733282e56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dllmfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Debeijoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe

Executes dropped EXE 64 IoCs

pid	Process
412	Debeijoc.exe
1844	Dllmfd32.exe
548	Dokjbp32.exe
4568	Daifnk32.exe
5004	Djpnohej.exe
3092	Dhcnke32.exe
4872	Dpjflb32.exe
4668	Dchbhn32.exe
3112	Efgodj32.exe
5116	Ehekqe32.exe
4640	Epmcab32.exe
1496	Ebnoikqb.exe
4832	Ejegjh32.exe
3808	Elccfc32.exe
4016	Eoapbo32.exe
1040	Ebploj32.exe
4808	Ejgdpg32.exe
4312	Eleplc32.exe
4960	Eodlho32.exe
456	Ebbidj32.exe
2408	Efneehef.exe
4840	Elhmablc.exe
888	Eofinnkf.exe
3476	Ebeejijj.exe
1708	Efpajh32.exe
3516	Eqfeha32.exe
3572	Ecdbdl32.exe
916	Ffbnph32.exe
2376	Fmmfmbhn.exe
4028	Fokbim32.exe
3672	Ffekegon.exe
2028	Fmocba32.exe
1620	Fomonm32.exe
1996	Fbllkh32.exe
1540	Fjcclf32.exe
952	Fqmlhpla.exe
2228	Fopldmcl.exe
1988	Fjepaecb.exe
3416	Fmclmabe.exe
380	Fqohnp32.exe
4572	Fcnejk32.exe
4984	Fflaff32.exe
2668	Fqaeco32.exe
4592	Gbcakg32.exe
1508	Gjjjle32.exe
3848	Gmhfhp32.exe
3696	Gcbnejem.exe
3712	Gfqjafdq.exe
4200	Giofnacd.exe
3056	Gqfooodg.exe
4192	Gcekkjcj.exe
3224	Gfcgge32.exe
4404	Giacca32.exe
956	Gcggpj32.exe
1076	Gfedle32.exe
1396	Gjapmdid.exe
5044	Gmoliohh.exe
708	Gbldaffp.exe
3228	Gfhqbe32.exe
2160	Gmaioo32.exe
2836	Hboagf32.exe
4892	Hcnnaikp.exe
2092	Hjhfnccl.exe
1372	Hmfbjnbp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Fmclmabe.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Gmoliohh.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Eodlho32.exe	Eleplc32.exe
File opened for modification	C:\Windows\SysWOW64\Fmocba32.exe	Ffekegon.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Debeijoc.exe	1346f477ebefea3e05021a85b3fe428002620671bff1f2245a201b6733282e56.exe
File created	C:\Windows\SysWOW64\Fjepaecb.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Giofnacd.exe
File opened for modification	C:\Windows\SysWOW64\Gfedle32.exe	Gcggpj32.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Qfiapa32.dll	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gmhfhp32.exe
File opened for modification	C:\Windows\SysWOW64\Giacca32.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Eoapbo32.exe	Elccfc32.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Ijaida32.exe
File created	C:\Windows\SysWOW64\Ibooqjdb.dll	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Efpajh32.exe	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ebploj32.exe	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Inomojol.dll	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Miimhchp.dll	Elhmablc.exe
File created	C:\Windows\SysWOW64\Ogaodjbe.dll	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Hpbjkl32.dll	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Gcbnejem.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Ogedoeae.dll	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	Ffekegon.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Hfdcbdnc.dll	Ebploj32.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jfffjqdf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6636	6836	WerFault.exe	281

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chkede32.dll"	Epmcab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1346f477ebefea3e05021a85b3fe428002620671bff1f2245a201b6733282e56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjflb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epmcab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifqbnpb.dll"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1346f477ebefea3e05021a85b3fe428002620671bff1f2245a201b6733282e56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehifigof.dll"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbpcko.dll"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1346f477ebefea3e05021a85b3fe428002620671bff1f2245a201b6733282e56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1346f477ebefea3e05021a85b3fe428002620671bff1f2245a201b6733282e56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 412	4780	1346f477ebefea3e05021a85b3fe428002620671bff1f2245a201b6733282e56.exe	93
PID 4780 wrote to memory of 412	4780	1346f477ebefea3e05021a85b3fe428002620671bff1f2245a201b6733282e56.exe	93
PID 4780 wrote to memory of 412	4780	1346f477ebefea3e05021a85b3fe428002620671bff1f2245a201b6733282e56.exe	93
PID 412 wrote to memory of 1844	412	Debeijoc.exe	94
PID 412 wrote to memory of 1844	412	Debeijoc.exe	94
PID 412 wrote to memory of 1844	412	Debeijoc.exe	94
PID 1844 wrote to memory of 548	1844	Dllmfd32.exe	95
PID 1844 wrote to memory of 548	1844	Dllmfd32.exe	95
PID 1844 wrote to memory of 548	1844	Dllmfd32.exe	95
PID 548 wrote to memory of 4568	548	Dokjbp32.exe	96
PID 548 wrote to memory of 4568	548	Dokjbp32.exe	96
PID 548 wrote to memory of 4568	548	Dokjbp32.exe	96
PID 4568 wrote to memory of 5004	4568	Daifnk32.exe	97
PID 4568 wrote to memory of 5004	4568	Daifnk32.exe	97
PID 4568 wrote to memory of 5004	4568	Daifnk32.exe	97
PID 5004 wrote to memory of 3092	5004	Djpnohej.exe	98
PID 5004 wrote to memory of 3092	5004	Djpnohej.exe	98
PID 5004 wrote to memory of 3092	5004	Djpnohej.exe	98
PID 3092 wrote to memory of 4872	3092	Dhcnke32.exe	99
PID 3092 wrote to memory of 4872	3092	Dhcnke32.exe	99
PID 3092 wrote to memory of 4872	3092	Dhcnke32.exe	99
PID 4872 wrote to memory of 4668	4872	Dpjflb32.exe	100
PID 4872 wrote to memory of 4668	4872	Dpjflb32.exe	100
PID 4872 wrote to memory of 4668	4872	Dpjflb32.exe	100
PID 4668 wrote to memory of 3112	4668	Dchbhn32.exe	101
PID 4668 wrote to memory of 3112	4668	Dchbhn32.exe	101
PID 4668 wrote to memory of 3112	4668	Dchbhn32.exe	101
PID 3112 wrote to memory of 5116	3112	Efgodj32.exe	102
PID 3112 wrote to memory of 5116	3112	Efgodj32.exe	102
PID 3112 wrote to memory of 5116	3112	Efgodj32.exe	102
PID 5116 wrote to memory of 4640	5116	Ehekqe32.exe	103
PID 5116 wrote to memory of 4640	5116	Ehekqe32.exe	103
PID 5116 wrote to memory of 4640	5116	Ehekqe32.exe	103
PID 4640 wrote to memory of 1496	4640	Epmcab32.exe	104
PID 4640 wrote to memory of 1496	4640	Epmcab32.exe	104
PID 4640 wrote to memory of 1496	4640	Epmcab32.exe	104
PID 1496 wrote to memory of 4832	1496	Ebnoikqb.exe	105
PID 1496 wrote to memory of 4832	1496	Ebnoikqb.exe	105
PID 1496 wrote to memory of 4832	1496	Ebnoikqb.exe	105
PID 4832 wrote to memory of 3808	4832	Ejegjh32.exe	106
PID 4832 wrote to memory of 3808	4832	Ejegjh32.exe	106
PID 4832 wrote to memory of 3808	4832	Ejegjh32.exe	106
PID 3808 wrote to memory of 4016	3808	Elccfc32.exe	107
PID 3808 wrote to memory of 4016	3808	Elccfc32.exe	107
PID 3808 wrote to memory of 4016	3808	Elccfc32.exe	107
PID 4016 wrote to memory of 1040	4016	Eoapbo32.exe	108
PID 4016 wrote to memory of 1040	4016	Eoapbo32.exe	108
PID 4016 wrote to memory of 1040	4016	Eoapbo32.exe	108
PID 1040 wrote to memory of 4808	1040	Ebploj32.exe	109
PID 1040 wrote to memory of 4808	1040	Ebploj32.exe	109
PID 1040 wrote to memory of 4808	1040	Ebploj32.exe	109
PID 4808 wrote to memory of 4312	4808	Ejgdpg32.exe	110
PID 4808 wrote to memory of 4312	4808	Ejgdpg32.exe	110
PID 4808 wrote to memory of 4312	4808	Ejgdpg32.exe	110
PID 4312 wrote to memory of 4960	4312	Eleplc32.exe	111
PID 4312 wrote to memory of 4960	4312	Eleplc32.exe	111
PID 4312 wrote to memory of 4960	4312	Eleplc32.exe	111
PID 4960 wrote to memory of 456	4960	Eodlho32.exe	112
PID 4960 wrote to memory of 456	4960	Eodlho32.exe	112
PID 4960 wrote to memory of 456	4960	Eodlho32.exe	112
PID 456 wrote to memory of 2408	456	Ebbidj32.exe	113
PID 456 wrote to memory of 2408	456	Ebbidj32.exe	113
PID 456 wrote to memory of 2408	456	Ebbidj32.exe	113
PID 2408 wrote to memory of 4840	2408	Efneehef.exe	114

C:\Users\Admin\AppData\Local\Temp\1346f477ebefea3e05021a85b3fe428002620671bff1f2245a201b6733282e56.exe
"C:\Users\Admin\AppData\Local\Temp\1346f477ebefea3e05021a85b3fe428002620671bff1f2245a201b6733282e56.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\SysWOW64\Debeijoc.exe
  C:\Windows\system32\Debeijoc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\SysWOW64\Dllmfd32.exe
    C:\Windows\system32\Dllmfd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\SysWOW64\Dokjbp32.exe
      C:\Windows\system32\Dokjbp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4568
      - C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:888
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        26⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        30⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        31⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        33⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        34⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        40⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        44⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        45⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3848
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        48⤵
        Executes dropped EXE
        
        PID:3696
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4192
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        54⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:956
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5044
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        59⤵
        Executes dropped EXE
        
        PID:708
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        61⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        62⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        63⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        65⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        67⤵
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3120
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        70⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        71⤵
        
        PID:596
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        72⤵
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        73⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        74⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        77⤵
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4772
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        79⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:32
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        81⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        82⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        85⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5228
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5276
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        88⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        90⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        91⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        92⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        93⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        94⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        95⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        97⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        100⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        101⤵
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        103⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        104⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        105⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        107⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        109⤵
        Modifies registry class
        
        PID:5300
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        110⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        111⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        113⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        114⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        115⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5828
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        119⤵
        Modifies registry class
        
        PID:6000
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        120⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        122⤵
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        123⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        124⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        125⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        126⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        128⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        129⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        130⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        136⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        138⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        139⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        142⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        143⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        144⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6300
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        147⤵
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6404
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        149⤵
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        151⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6572
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        153⤵
        Modifies registry class
        
        PID:6612
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        154⤵
        Modifies registry class
        
        PID:6656
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        155⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        157⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6880
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        160⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6964
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        162⤵
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        163⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        164⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        165⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        166⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6232
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        169⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6524
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        172⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        173⤵
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        175⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        176⤵
        Drops file in System32 directory
        
        PID:6904
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        177⤵
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        178⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        179⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7160
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        181⤵
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6448
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        183⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        184⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        185⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6836 -s 400
        186⤵
        Program crash
        
        PID:6636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6836 -ip 6836
1⤵
PID:7152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
45KB

MD5
f8b3380fff27681c787dd1a77b19a666

SHA1
d4102b16a7527c80ccf68b115003ecc131be2b36

SHA256
8113fd4f01b76f88bd2afdabed3ef67aeee1f520cd6cea67bdc537dcb4762f6c

SHA512
de6df7f2d86c9cc095d00587f40f648b88dbf3f747610a8b9e437076c1f30ead9e9e0c3eba2ba1b2ca0c7cb6634e7e4507b026b25b4b8fbda17e9bd41a598a64

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
45KB

MD5
458c8e5ab9762ade39d54043e54cc2e3

SHA1
0d67ed6706603ebfe9057a08455ee9f2e3976ffd

SHA256
4a6567f4448d229775025e4a2b9fae101924d5c5a2d4c4c03c267a201d962dee

SHA512
9c3dcca7e770f6308a4e60afdbc0f5b244bfd39e51229425919a5ad5f074d03d7df0c2f1fb65b9cb2fc3c1ca4be3028e903d36257ebaab16430c8a19ef2b7179

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
45KB

MD5
01fc8be4a3fb775bf099c3e2863c8300

SHA1
621153b359e232e4a5ed7c3a7f208a3c54cd96fd

SHA256
0a55b226552c5d38f5f1ccc39c074147c51e981488625f7faddc01226efbd8ec

SHA512
68addf51fa2b281f3d91c1ea2e2e5e6db2000edb1a0754c1fee9a68aa558b86aa28b783d7e3d689c54f359459fc3b62ba061943a1ccba62876a913798d104a36

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
45KB

MD5
031c63dfa9c033d01c7f3c023832059a

SHA1
94a6e471d043aa682474ea64fe467a71abf78587

SHA256
6006460d11598bc943f0bbae539aa0e39bcac4594343426ff56b7dccd2d9f204

SHA512
ac746d149d55c540568cb412e72720280cecb77fc1e3ddeb8f4fcea48fe3590c008341ad4153422dd53365ccd8b709af19be6c4f7fe50a7bbaf7e8cdfa3381a4

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
45KB

MD5
cecfd10b8411fc033f316ef01a83c25b

SHA1
762a2652e9418075f12488117378f53fd49df91d

SHA256
f7e4209dcad634480bdf99e13a4a5c3803a389365b81abc3083de7efa4d650e9

SHA512
d7bac24d0ae21477b1f56ec8355191eb7bfa9d4f06c023eded0a5aeab9c72ec73e5e5bc20efd116e67eda3d6eee9802fe70e914c58acc5e97f6c9ae486845987

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
45KB

MD5
4587ac5d5f004a2ed37d13b0f516013c

SHA1
8377153c094cc4488af1a6c3e37371cb54bdc006

SHA256
aab5c9a4e84417079e998114480dcc3e9102d6adb54e5a79369f39ec6d072f42

SHA512
6aab62707c2357a4a9272b0860149ce7222ada65aba955ba1b495eaddb3370c0836c84771c3a018dcc677c04f905c4acbb79d7b9ac942b710655b3e2aa3c720d

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
45KB

MD5
1797e60e597f0fc32fa166b4647d0b5d

SHA1
d5f261ca3853da93bc6877bff11cdda159bf42bb

SHA256
25055c1ba4f77c8ffa73b6cf06b7c50187cb637a0b96963fa0338002de79a345

SHA512
19dda0da38bf8de7974d41d48fa92f0b14de830b1f45980b32a04fe58fe62c99d120aad13771dd15afdf6c14351f9ddf1420219c1e99e5707661f53ec488a928

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
45KB

MD5
b5b066ff5aae9d3dfa2b41cbb7a38e69

SHA1
5f5f337545b1980e87bc7833aa1b3332d81b8881

SHA256
90fb1fac51fd07dfac0c35a4a888eb14f33f7aa4135946bdaf8be206095653e2

SHA512
080a3909378a1553f48c1efa6dff2437816679377eeeb7ba8866686120060890d0d5d85a7b0859fa38c7b277839bccc1004e3b67bd646558c3800535fee88933

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
45KB

MD5
60a5e69c7ae23b1f747271a6147cb6dc

SHA1
1e2bd7ae0d4bdafd4f368da5caca46e135522bcc

SHA256
cea33fca60c79375fa24866a547446b440ffa7e92e2ace89c0276fe721c8d5b0

SHA512
0060e4f84e8d6d38a1a6b65dac45e7ac5f04295aca73ba8bd283ae54947614fea462048a658c75006111f2e986cbe2e1c2cfd2c5cfb94ce66af1770b38ad87ae

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
45KB

MD5
ace06e1bce7dd7d5253d4c424573721d

SHA1
c11061ff94046cd6d85917445f640d68349721f7

SHA256
0804562b02ac7f86e9a605d4678a5cba8d174aaf338bac9d5b5fb2a483d0473f

SHA512
c89381b05064b9919e9b1c32211289489d035c815b2c4ae914772194d711fff5049d20507824e383f8a69426db2216a31ec784856aac9e5d3ecd5ea22c241bc2

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
45KB

MD5
2c42488ba808129193f9969269c33d04

SHA1
e2b13f53ce1d73e56348fc53b93f0d3cc07bb10c

SHA256
a7d0d1c0d628ef65c78198330547abb02a546c183a7e6c76e5584c09cae5bd45

SHA512
dc185f2a930233a0164f191592ab643b29951c8eb909ff9cb4a5d1eab88e93e0e4bbaf1f91be0e68fdea9d705477631d98e94c4bbc9127774fa572ef389b4939

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
45KB

MD5
d3a68494870944a984036f0f0a752c62

SHA1
186f3a075aa6e06fca16823ba516ffc082c95b6b

SHA256
05cf12800fa539022d7db86db2fd3b66c843671c0997875321429498c96e0448

SHA512
a17cf2d20cfba16736ac7e6087692e46f464b9d9461c4d54308659f3d483ca705302899117b152077f8017b0f5b4e066ad5d6b84810cd471370c34a436d51a74

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
45KB

MD5
f3ef9b521f594cde74488992c1bb8c1b

SHA1
e980124dbaf23dad90220163d16156db57f02f21

SHA256
7605704d7751101c21285450dc35849462fabe2f69e8aaa4df39000dcdc05a06

SHA512
b96ee714d114263208be57f770a04d08874098488441429c4d5cd9b603dd4a9f69bb8dd949b6c65b1558ea8db2280e46faad34662037cba365101574d0ec1842

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
45KB

MD5
1306623ea8cded45f55f7a7a3a16fc01

SHA1
219c7872a3b29f33a466ddaee6d1ccedd8694935

SHA256
c8e5653e000b94b92a21f1dccd1e18f94eb835feb3164b9baddd3d0573942ee4

SHA512
39fac47095be206a22f240ee789d97fbc18829cf701b953d827ccda3db6eb67611aeac944be9c62706757d70ae3377370c79afd70d435ab47f0f7fb5730f9d70

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
45KB

MD5
df9e92df25d2fe2479a76454ac2c91ab

SHA1
3addda6a4ddbb8ddc3be2fad901853366a996f83

SHA256
056189986bfb5754b07d78c4f2c5364bbb4a9f6803295232ad3634788aacd645

SHA512
9d28b6955e2dd76df763e09a3b0da4e1e33f97d56d0ff0ded0e4fe1357ddae90c1c8bad1e4549ee9492936068d2c84ebc177880afcde9052afffd67cb121cff7

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
45KB

MD5
b0a475b9e6aabbec8da97fcdfa7d6d86

SHA1
c12941dc82afd49697128495ad6c26d432ae61b8

SHA256
53558870f357f03f6164a2bcc74d17df6d3b68e323462a25649ab314f576785c

SHA512
dcbf31fa65c72fe9c3b832d4a74d832b45e119e6ff89130f9baa85506dd864333f86ae839f870978e171e0bd8252f1f8cfc7db3453b171c51511b123da20ca24

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
45KB

MD5
c6a72c4423fb8d96880392f7b8cac288

SHA1
cddc8578c39ecf18980a959c19fd452e8cfe9e48

SHA256
e17ad374705812c975c920e632b45fe2e119b0b6029e80969dff2b4b6a19797e

SHA512
e6fff318cf4765f96677605e974ef2991a710c705a5d6f669379aab757fbbbf4235a593a2435cd36f8e0905c7f08ff0c10130cfc683fd29388c5e6368b7e3a23

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
45KB

MD5
490dc27ea9f61dcc27cf62d30145f9ef

SHA1
875f4a6cbf67848668b5edbfec7b3dcc989ef910

SHA256
92971021efd29df82b2a9d5669a88c5c46a0028a4d75ec1168122c18b3d9697d

SHA512
07ac6ecf6090fd6c66ece449f3f1129259ad618f012ff0c28c6d5b2fee0e4f344a404964637f7e7c472bae2815bc0eb9783d27d5d58844538c29132a5153a45b

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
45KB

MD5
2dd46a1d04739bc4e43d1109ee471fe1

SHA1
26b0023983d6b69f95bb0d04d92d2226e09e3b63

SHA256
2ca6b8bad8e27eac8586149e5e8019c3cf21bd35f9d56062cb10aaf5f1ff2d7e

SHA512
d1e3cd118529b3e89882bbacbbd9f31dd2fa8aea4cbc6bc133e02945c12d4b0812a1f4ec773f2ce038f390690d7f71d6b80e734757a0f0d6852933b328eb1789

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
45KB

MD5
db4f4fe8ce9e613aee3f9d2f03219cf0

SHA1
d89f19314578deff5476be9c2ef9c0722414158a

SHA256
4d4b212f0191b0c59447f077ac0e3ee8fd75caf1018037b338b34bb1d7a2d6f0

SHA512
76b73221d96b23ca21243080d9f712d6f59ff60ee4e25ebabeb55cb94319ee660a3d789dcb0842078712594f83ee70b974eb96a9fec6ccb345a0f1e76f507fef

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
45KB

MD5
90cb4c504d41fa2889afd2694a64ffe6

SHA1
6419142f3a939feca9c48e39bf7f46c65929144c

SHA256
b5a6e2bad07c3cb4cae787b0bb9625db0e73401438152277f9242c0191a4eee3

SHA512
f77ca201a905b26a4e94ce8573949dddb9f69439c74a4679b6a1f6d410abac5dd92b754cd6d2c568d3c92708c95844c8dfbff41792bba617688e6b4516eb041d

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
45KB

MD5
bed8392d0ac8456c8bb407587e5d227a

SHA1
944f57f3a7b002019ecbef3ca8b660fcd018075a

SHA256
5d6022c285f57ff257a36c00b0bb395c9084a9673d5de07d2eda469c24c3c944

SHA512
a18809efb2434599c4f4e14fa29a1663b43258ce255bfdbaf37018bbd49ff30d1ec760404d7ffff4f272482ddca06878df09202eeb40bcc0070858feca01155c

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
45KB

MD5
2a635f62ef7f8800c0b1f83ffa30c35a

SHA1
0c7f758d21d57f414e90a5aab3ad37efc7a6b271

SHA256
8ec03e6df928948f60a1446db5cd15883a1772461bc89c2919e539ede05ef63c

SHA512
641eba9babdf2387796dfc8ee42622931e37abfb4e29cdca13dcb2b1dfb97064e1063a082600bc5989ee6939dd79ed52b22865be33540bc6c8cd985acdef0694

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
45KB

MD5
0f2655d227936690629ac669561a8746

SHA1
ef7167b9aa33c5a783a06eeb4087eeba004956a4

SHA256
1134e289e9eecbfa6f25a1d2f680ec29631b6951361aaf11fb5a3224e5b52a61

SHA512
0d7db3316ca9c91df6a71dbe3fc32f69042f41bba95aba38f941a2d0dade21d2b7cae58b049b5cad70a77bdd5b9433104d9b45625dcc58af004447884833ea2a

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
45KB

MD5
c656699ff4d70ee6dce116aba76c9594

SHA1
9e25914cdb6aa100c3f403d75e3dd759763a598b

SHA256
ea58928883598743b43974d78c1079956161fb65625ced4caf31967aa908400a

SHA512
887cf71739d0057c21f7d79d977359e7b3368ab572bdeae5d6ba754cdd8d02bd0529ae478b0009f7cd56bcd416f34706a21f6b470a9caa0689dad66bee2e30ed

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
45KB

MD5
3be5b3ca147be2a290f3b61da3580f49

SHA1
af46f4b8781e92a7b79b8b4baeb2f3687c2488f6

SHA256
187f02a90ee3552c6d234bd2f9a2430eb44c8014f4e2ad7a0cb1ad140626aea4

SHA512
e259a1bc18dc9ede21ea5bc99f5e28557bbd9000ce01662e1c176ee36560d70c38902a0db34c7f5c5cee313944e81e497e7a2959f0ff9ffcff17222dd72d74cb

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
45KB

MD5
c62fa40f597e3978dd6204f182c1b047

SHA1
7d92f60ffcfcf100fcd14901453601d8b5ee418d

SHA256
0325cc46ba6ea2deee4499db5aeda179ab62bb8406f03e5d4627b955aaa7c30b

SHA512
80cff947c65340c182549bb9199e639222b66385b2ed52891bd163d1f96ebd60e191767f6af0b46a61ac933c6ff69adac0faeb817d0ece5b34c3c04344cbc52d

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
45KB

MD5
dde5d2a383bd5606fbdc875759242d7b

SHA1
9e87e90d2bca676901c86a0ad3d9fd551af1e601

SHA256
0987ad3816596ef456bfe7d537f315bc6c4b81e8f8f7491184d9e3ebdeaec1e1

SHA512
e950044072c141d3489d253a415af616957d59c83b155b1574b0545725df3e1706f5362dba6976618a66550b6ba4532e417a13a23d04b99e5dc4d884648d1b7e

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
45KB

MD5
d054e06b5b84e354c1f24a36b83b8575

SHA1
fcba029996553231e27c4cf248f7d48945e08caa

SHA256
77d3f389516e4b6ea2bb9f9477ca4dad8422cf5757b434b7e7035e5d9f4a7592

SHA512
2026301e60ba5d554d28c275ae13edf9eda484b76b34031f39710aa13545034d05e5cb39dd89505fee844afaaeae0dba62d4ad18af7ca99d28fba752b8c3224b

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
45KB

MD5
e252f8a815153a858ce7c842d417da5d

SHA1
970de82f86a07cd9268c192c9e6fd25e357e82c0

SHA256
d2531e786de2a2dd64e977804c4ed580ba1f53a01eb4372515e6e7353601aebe

SHA512
f111b52b77cb026d2f80486cef05e0462035c7085cefdd6fd3d28d911981f91848f4c837c110c5dd6152c1c16e75358683dbb404543bd712c011451909fc0990

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
45KB

MD5
76f75a90800a047ed8adfd467f4d1bbc

SHA1
53a3d58a5f67deb57822b8bf4276c7e3ac1d5416

SHA256
bdf3deb78a47dbc13fceb89e9eee844fb8a70e147d52f80a2718cdfe1cee3d09

SHA512
d548f641baa86dc300ba01813cdbf640d1a509dea69fc15f42fdcb22b647ceb1313443a4301bc6ef141fe9eb141b94681a22eb6988b7b5206d44988107897306

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
45KB

MD5
a436e102177751b0a70993d3f3f5a41f

SHA1
e58127f3f4f93dd0aa52ace88ea92410df8e9213

SHA256
a07a2f81d79136d24f86f93e0712aa71531ed0ae6e22f13f6cc5590d9edc8b69

SHA512
dc4d76ebb2940561e609a41cb8cfc6076bf847a70e91e1e5da582c27769d35e60463e08fa9e80dc8e598f11c715548dd83895fb27bdcd14081aeea7c2e20ba04

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
45KB

MD5
0e1599306e110e26b2a205c259ed5280

SHA1
c57233e87fea8b6b092dbb046db8b2562aa951a0

SHA256
adc76a5995bea016a7b28191a21f513b46d79e998f92b2f8a24ccc8a9426d5b5

SHA512
9111e9d537ecab74daed25bdc2a5f714a7a9ec1fe51d39a182c765fe7ef21c9788ba194082a9129292f3afb5ea675538d16bc35b1da2813e47b8fbefaab73d46

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
45KB

MD5
04b8fe86111756e17a4d8365ea41ae1a

SHA1
be376a609af7ef1a591d1917c84df8f4fd91dca4

SHA256
60f85933f825e20323be227a715a573706aecfccf3558d0a55fa1d9ef0500578

SHA512
80660e6cc1e4c9d8bcf75178e5814cb6cbf29c2a6a18ff14a7e7a035c4661f34c05ae92caca1889f0e55dd4b1ac19aa58d2889203ae4f567dce691dffd5e15bc

Download Submit
memory/380-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/412-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/548-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/708-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/888-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/916-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/956-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1396-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1540-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1996-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2160-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2408-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2836-430-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-364-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3092-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3224-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3228-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3416-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3476-194-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3572-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3672-248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3696-350-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3712-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3808-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3848-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4064-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4192-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4200-358-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4572-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4592-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4640-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4668-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4780-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4832-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4960-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4984-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5004-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5116-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5208-1299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5296-1290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5548-1279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5604-1296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5728-1288-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5808-1294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6152-1278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6160-1255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6232-1254-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6448-1239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6488-1271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6524-1250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6532-1270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6800-1246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7048-1258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7092-1242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7160-1241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads