ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe
Size

256KB
MD5

74db5c7530fd91c3e7dc0e0a96f67ed6
SHA1

2210bb842f819a57d073dc9a66308ff74addfa48
SHA256

ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2
SHA512

55d8ff60e2ad0f241a71e17cfe1f38d38364784108221953de3446cbe55985f3bd943d408ca6bb2080d58b5d9d1641065205279ae5280594e0d73e968911e7a9
SSDEEP

6144:26hp+omRoPC9C81NByvZ6Mxv5Rar3O6B9fZSLhZmzbBy9:fr+oOo69C8HByvNv54B9f01ZmHBy9

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe

Executes dropped EXE 64 IoCs

pid	Process
4940	Dhcnke32.exe
4088	Dpjflb32.exe
3264	Dakbckbe.exe
4916	Ehekqe32.exe
4792	Eoocmoao.exe
4932	Efikji32.exe
1892	Ehhgfdho.exe
3296	Eoapbo32.exe
2204	Ejgdpg32.exe
1000	Eqalmafo.exe
1432	Ehlaaddj.exe
4032	Eqciba32.exe
4592	Ejlmkgkl.exe
400	Emjjgbjp.exe
4572	Fbgbpihg.exe
1956	Fjnjqfij.exe
4724	Fokbim32.exe
4456	Ffekegon.exe
4564	Ficgacna.exe
4844	Fqkocpod.exe
1372	Ffggkgmk.exe
2696	Fifdgblo.exe
2780	Fopldmcl.exe
1752	Ffjdqg32.exe
4748	Fqohnp32.exe
4320	Fobiilai.exe
3092	Fflaff32.exe
1688	Fodeolof.exe
3080	Gimjhafg.exe
2928	Gbenqg32.exe
3620	Gjlfbd32.exe
228	Gqfooodg.exe
4924	Goiojk32.exe
3732	Gbgkfg32.exe
5004	Gmmocpjk.exe
532	Gqikdn32.exe
3908	Gbjhlfhb.exe
2284	Gjapmdid.exe
2700	Gmoliohh.exe
3700	Gpnhekgl.exe
3468	Gbldaffp.exe
1980	Gjclbc32.exe
1756	Gmaioo32.exe
508	Gppekj32.exe
1544	Hfjmgdlf.exe
3404	Hmdedo32.exe
2396	Hbanme32.exe
4752	Hjhfnccl.exe
2960	Habnjm32.exe
1064	Hpenfjad.exe
868	Hbckbepg.exe
1764	Hfofbd32.exe
3556	Hmioonpn.exe
3568	Hpgkkioa.exe
4212	Hjmoibog.exe
1396	Hmklen32.exe
1516	Hfcpncdk.exe
4576	Hmmhjm32.exe
3756	Ibjqcd32.exe
1380	Impepm32.exe
2908	Icjmmg32.exe
3888	Iiffen32.exe
4832	Ibojncfj.exe
2436	Ijfboafl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Bademghm.dll	Ficgacna.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Impepm32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Hofddb32.dll	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Honckk32.dll	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Fodeolof.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Gmggiogn.dll	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Efikji32.exe	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Mbfppi32.dll	Fokbim32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Fodeolof.exe	Fflaff32.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Nkbkiioa.dll	Eqalmafo.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fqkocpod.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Hfdcbdnc.dll	Eoapbo32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ehlaaddj.exe	Eqalmafo.exe
File opened for modification	C:\Windows\SysWOW64\Kpccnefa.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jmkdlkph.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6584	6496	WerFault.exe	239

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphqml32.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockmjg32.dll"	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbfppi32.dll"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcioj32.dll"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpfpdoi.dll"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmihaj32.dll"	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfqf32.dll"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gjlfbd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 4940	2688	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe	89
PID 2688 wrote to memory of 4940	2688	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe	89
PID 2688 wrote to memory of 4940	2688	ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe	89
PID 4940 wrote to memory of 4088	4940	Dhcnke32.exe	90
PID 4940 wrote to memory of 4088	4940	Dhcnke32.exe	90
PID 4940 wrote to memory of 4088	4940	Dhcnke32.exe	90
PID 4088 wrote to memory of 3264	4088	Dpjflb32.exe	91
PID 4088 wrote to memory of 3264	4088	Dpjflb32.exe	91
PID 4088 wrote to memory of 3264	4088	Dpjflb32.exe	91
PID 3264 wrote to memory of 4916	3264	Dakbckbe.exe	92
PID 3264 wrote to memory of 4916	3264	Dakbckbe.exe	92
PID 3264 wrote to memory of 4916	3264	Dakbckbe.exe	92
PID 4916 wrote to memory of 4792	4916	Ehekqe32.exe	93
PID 4916 wrote to memory of 4792	4916	Ehekqe32.exe	93
PID 4916 wrote to memory of 4792	4916	Ehekqe32.exe	93
PID 4792 wrote to memory of 4932	4792	Eoocmoao.exe	94
PID 4792 wrote to memory of 4932	4792	Eoocmoao.exe	94
PID 4792 wrote to memory of 4932	4792	Eoocmoao.exe	94
PID 4932 wrote to memory of 1892	4932	Efikji32.exe	95
PID 4932 wrote to memory of 1892	4932	Efikji32.exe	95
PID 4932 wrote to memory of 1892	4932	Efikji32.exe	95
PID 1892 wrote to memory of 3296	1892	Ehhgfdho.exe	96
PID 1892 wrote to memory of 3296	1892	Ehhgfdho.exe	96
PID 1892 wrote to memory of 3296	1892	Ehhgfdho.exe	96
PID 3296 wrote to memory of 2204	3296	Eoapbo32.exe	97
PID 3296 wrote to memory of 2204	3296	Eoapbo32.exe	97
PID 3296 wrote to memory of 2204	3296	Eoapbo32.exe	97
PID 2204 wrote to memory of 1000	2204	Ejgdpg32.exe	98
PID 2204 wrote to memory of 1000	2204	Ejgdpg32.exe	98
PID 2204 wrote to memory of 1000	2204	Ejgdpg32.exe	98
PID 1000 wrote to memory of 1432	1000	Eqalmafo.exe	99
PID 1000 wrote to memory of 1432	1000	Eqalmafo.exe	99
PID 1000 wrote to memory of 1432	1000	Eqalmafo.exe	99
PID 1432 wrote to memory of 4032	1432	Ehlaaddj.exe	100
PID 1432 wrote to memory of 4032	1432	Ehlaaddj.exe	100
PID 1432 wrote to memory of 4032	1432	Ehlaaddj.exe	100
PID 4032 wrote to memory of 4592	4032	Eqciba32.exe	101
PID 4032 wrote to memory of 4592	4032	Eqciba32.exe	101
PID 4032 wrote to memory of 4592	4032	Eqciba32.exe	101
PID 4592 wrote to memory of 400	4592	Ejlmkgkl.exe	103
PID 4592 wrote to memory of 400	4592	Ejlmkgkl.exe	103
PID 4592 wrote to memory of 400	4592	Ejlmkgkl.exe	103
PID 400 wrote to memory of 4572	400	Emjjgbjp.exe	104
PID 400 wrote to memory of 4572	400	Emjjgbjp.exe	104
PID 400 wrote to memory of 4572	400	Emjjgbjp.exe	104
PID 4572 wrote to memory of 1956	4572	Fbgbpihg.exe	106
PID 4572 wrote to memory of 1956	4572	Fbgbpihg.exe	106
PID 4572 wrote to memory of 1956	4572	Fbgbpihg.exe	106
PID 1956 wrote to memory of 4724	1956	Fjnjqfij.exe	107
PID 1956 wrote to memory of 4724	1956	Fjnjqfij.exe	107
PID 1956 wrote to memory of 4724	1956	Fjnjqfij.exe	107
PID 4724 wrote to memory of 4456	4724	Fokbim32.exe	108
PID 4724 wrote to memory of 4456	4724	Fokbim32.exe	108
PID 4724 wrote to memory of 4456	4724	Fokbim32.exe	108
PID 4456 wrote to memory of 4564	4456	Ffekegon.exe	109
PID 4456 wrote to memory of 4564	4456	Ffekegon.exe	109
PID 4456 wrote to memory of 4564	4456	Ffekegon.exe	109
PID 4564 wrote to memory of 4844	4564	Ficgacna.exe	111
PID 4564 wrote to memory of 4844	4564	Ficgacna.exe	111
PID 4564 wrote to memory of 4844	4564	Ficgacna.exe	111
PID 4844 wrote to memory of 1372	4844	Fqkocpod.exe	112
PID 4844 wrote to memory of 1372	4844	Fqkocpod.exe	112
PID 4844 wrote to memory of 1372	4844	Fqkocpod.exe	112
PID 1372 wrote to memory of 2696	1372	Ffggkgmk.exe	113

C:\Users\Admin\AppData\Local\Temp\ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe
"C:\Users\Admin\AppData\Local\Temp\ff3587abeafd5578cb65fdd57e5ada62732639585a48848c153c98d57785f2a2.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\Dhcnke32.exe
  C:\Windows\system32\Dhcnke32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\Dpjflb32.exe
    C:\Windows\system32\Dpjflb32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\SysWOW64\Dakbckbe.exe
      C:\Windows\system32\Dakbckbe.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3264
    - - C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
      - C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        25⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        26⤵
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        29⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        33⤵
        Executes dropped EXE
        
        PID:228
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        35⤵
        Executes dropped EXE
        
        PID:3732
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        37⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3700
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:508
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        46⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        51⤵
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        55⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        56⤵
        Executes dropped EXE
        
        PID:4212
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        59⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        63⤵
        Executes dropped EXE
        
        PID:3888
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        65⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        68⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2924
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        73⤵
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        75⤵
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4560
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        77⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3272
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        79⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        81⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        82⤵
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        83⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        84⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        85⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        87⤵
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        88⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        89⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        90⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        92⤵
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5756
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        94⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5840
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        96⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6068
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        103⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        104⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5392
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        107⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        108⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        111⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        112⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5924
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        115⤵
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        116⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        117⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        120⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        121⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        125⤵
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        126⤵
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        128⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        130⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        132⤵
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5344
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        134⤵
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        135⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        136⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        141⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6188
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        143⤵
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6272
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        145⤵
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6356
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        147⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        149⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 412
        150⤵
        Program crash
        
        PID:6584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 6496 -ip 6496
1⤵
PID:6556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
256KB

MD5
e689292c3bcad5aa391e611f0bd5af55

SHA1
83908b3eeed2b16cb70fc516c3212b210651dadc

SHA256
7c61953934b0ae765b5c3ed4413c24f7041da140fa0d4719e91090fa04dbaf3a

SHA512
d799374d0cd1efa3544a6df091aa99506d94fbc74f88c01cd00d612c1dd9b521034291502c210b35b8c1433596a9ac28b04d51571cf31fafaa43f57bb7417322

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
256KB

MD5
8fafaa72e528a9cd4950bfffd4e30bc1

SHA1
665efe741747f001e135bfc9819c2cf3d82f3201

SHA256
f53e6bc4d4f02127695ec64d33acddf26d9142389ab03e43029c6468c8edff11

SHA512
e2027c384e69c546d9ea854deb0078ecf4e2814bb974bb426b2a3065bf2d559d91f43f5314e609763a2a4623454aa73ea4660826b637aec61c429d109ae53091

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
256KB

MD5
c0e859969b3fe40d4d6e98d6f5c9a558

SHA1
926b9c95f18d9badb66ccbebff5d4d3b334f85eb

SHA256
e4757cba28d8b7749a7978c31ea76f25d97d28dd7603906ed59e792709fff095

SHA512
4f4d8bbf8433b1fde2412064c01be0d4d2c92fbf3046163bd54de78c3ad86392f6f5425c2afda0fac5543ab7aa3b846d2358cfad51a33cf27b2f56b46b33b760

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
256KB

MD5
5a79b70208e0be31df55d2f9d1441c62

SHA1
ad6fa002f2ca71c2a5d57216e9b570351716378c

SHA256
52de3b978d1eeaa549963ec1d8242203927f100c2fd19cb13d1b3bd351efc08d

SHA512
51faea4c85b758f99ab4575befbaf84364e7c9d70088ff311da32a06c11e760ad2fe066064a0205c10a311a1c89b34a829ae4d41286141acefc534ed213e6b34

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
256KB

MD5
7b7c9327f362172e605a68d5a6109b7d

SHA1
c0a85107f0b87d03444b1f59b510383044cb19f9

SHA256
db4d1fd8c9ae8cea02c992da81c4aa6097dd30d2d2825bcad3f9a1bd7ffa2b27

SHA512
ba605fd5f425589d37f9920ab35c7931ae5ba76a4b7230bd410176543d50c7ac8a60ca8aab9af4c07b44e5dc4558ebbf9fd9766e3cccad9294ae64bd99b303f4

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
256KB

MD5
a283b0083238742e60bb87bc07177b5b

SHA1
dc553268a8e7a88f9b12dc7a0b5af03c7838aeea

SHA256
09eb3a0e86695a5fb7fde35c84e1cd02a3e9eab24c238d0a59238372cb4c3777

SHA512
51f77d333df8d89c2d12177b66bd401e73a8757ce5d664828dc3b64bb83832b5b5409eb5b5f206297a52348569d34c4c8535c8e1a253ba80a8081bfc863a940c

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
256KB

MD5
f06d8d2089058f93f42230d2be4d92aa

SHA1
89761bec8ac83e433ad30ebb18e89335fbe432bd

SHA256
340da6ace4567caba8cfc1144ee647e13152ced5f0b52fb1e7509190fa127e77

SHA512
95ec8ee2b309f13ad8ae0f8f93952675305e92a7c0be9a35fa3112dd48deeb04d208ac32f578b1824bef3467dab9ea5075e3556e43bc147a02466138a27f2e1e

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
256KB

MD5
0693c65d0488ff2c559b25c3f928da8b

SHA1
bac49fa79a293b791658a901ba4719cb891d7f59

SHA256
08ad1b229e9d5253315481b6668b6c90ce02966f8b60175d9f182995a85797a9

SHA512
e5aa16d2b4bc8f43afa41599f2a49b42bc8676cbfa59de84b00f51da5f10b5f8b4025d4218edf126c3006e37683d62a34c494ba4e76c3efa95eaea1f99ff79fe

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
256KB

MD5
d7f2f452ae101c5e7984813737837254

SHA1
bc4aa2af84caeab0c9acf46fda52d1349c20deac

SHA256
bbb5eceb528b23ba11b1f2185dbd64c24258628ac87e63e19f71225b6435ce4d

SHA512
039462f4c8c07bfbd2614adeb9d234ce69a5beee19cb2e3267f2104adb5f33e5b99ae06d91c08e3237dda53496a8ca89ec4f1ba94b9f1d51e47f145dec7ff036

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
256KB

MD5
241a9d474d068307d2784014eca34fe5

SHA1
119897120b6166b3fb1dadd51ca4926849908ae6

SHA256
93d12afb2818846a41cbea8f6bac6d693bb71f2a5dca1c9944a09d0b28ed2209

SHA512
618a21224794f79860b4f81dd80eea001727010123fbbbcc1a52d9c648ba0133e716dc1bbae4efbdc100a7b4d035e5124136db234a81dc6a1e67a48f3d99df71

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
256KB

MD5
0fd454bd727781690d3e6b741962ef03

SHA1
aae7e198fd501ee298d8d348f5e338adac9066a8

SHA256
bd42c4008787a8a601a08924cb04993d68d7257dc127b45a9f978eafa50edfff

SHA512
6db15938fd3e717a35cecbecd3661ff01569292b457b25b3bf2d78ee28c19905d1985a10a28b2f157b525765aa549d9e28a01cab478b2193cfb13f5784bcbff7

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
256KB

MD5
fda9ac864adc73f6831e21284f24aa7f

SHA1
0e127f823f28cd21ee9c845863dc3014469346e7

SHA256
94880ceddd265b8d2bb974a2976a08d79c27fd95be9a25e288b8c4a72f385278

SHA512
1243775df74cc815cdd7cc0dd29e8087876c537617826aac1eefed867c3a56cbdb004da2deb5f6a02065f37bb5a96e87ce0c7d3ef984f1727618b9d22ffcc6ad

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
256KB

MD5
c8245e6bf4b6ba944637f63870c4acdf

SHA1
d52d5e770aecbe10280f9282426df65c823d2925

SHA256
3ec67125023c262ae677f5c042fe5ef1ef2920a230eb7814dec980fc66e233e0

SHA512
9d9bc3fe96da08074c5e4f2346a4193010f0b45aff7d051d2744684c67f5dd9ffb9d67b672c7d7e918242fa04f2aab50d7902fa3f0b5d641a865b48b9d88398a

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
256KB

MD5
ee8f42d61516a4b7e3cd8cd9b001533e

SHA1
90f995b1ce739e9d12f9743a1626ccd4d2b4704c

SHA256
f9aeff5b9572b4d9b7beac501c676b81377bc20581ade18cdb9844f251c1a9d6

SHA512
c07191a551f2980c6b6ce1c8b62cee8b5a43cf9fe8bb7115d892ccdde5c06045973a4cb71def13e3989124fb86ed23e1233e6c23842f334ba098501d9afa671c

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
256KB

MD5
2ccb98c4bac4cfa8c994b57102f08a32

SHA1
881ee936d0bebf85a71ca53996207b04fb20588c

SHA256
f518d88dc926353a328a0948f0ab4eddd9a18d3ffaac4b100fab75d499431fe3

SHA512
3d68d302cb10ad8a698824860ac66b83c75dd27630d559b96affc7d5c1dbf743632297f2f65c62e5ce0c769f5e7cc05c6b8cb9726a523d808d5c02337dd88548

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
256KB

MD5
0ba1372c0f4fd9b79042479eeeadda6d

SHA1
4a7cc897043ab69c250d28e8eeb4994dd9bba576

SHA256
ca5914fe05b09f49553723d02f2ae0b3062c4ad2b587c16fda4f4a7fbc705a26

SHA512
76281e912338be3247cef79de6054776077022bb492c7d2dce04b20292cbb002ee99926d74326beafb45fd846189b3e4485bc450650b8aa6611ab3d8d8fce1ba

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
256KB

MD5
7eda801b8c5deb15e4a7333bcd4dda52

SHA1
4871d51a901dfe630175b8155758c09f5a9165ec

SHA256
f7e8de28dd9342c1af350eaf8112bbed7fa7562a9fb0c9868e587c4a28cdb6c4

SHA512
5155bbe2eb2a9f8661b3b271742c33a8bf0e436c42eab7782817eb395a0be4cd0c83e6824507f572b892e90558d844f71dbc1592cb07ce70d3c4980914741d3e

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
256KB

MD5
ca426ae1456acafe2c0064b3cb3701f5

SHA1
d2332f1902a7b692bee353784e63caedd79d22f3

SHA256
039565661b842c4d7fd2c905ae627dc43905d327f4473f45db72d7a37d269952

SHA512
5e388b70684fcb332d52eead8350f7b96f4fc03c8f156cd57554654d0c2564b8d74ad0589c47c8b0602d7a5f86c8919adb28dad0a6d691b3b1389f637b9a64fc

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
256KB

MD5
cd9e6d06c6075a59ecf46360e11e6db6

SHA1
c34ccfacf80be1b84eb479f4bddbc4763619dbe3

SHA256
3ee53720a133030a7f15d5b50065169313c06331081e58d3af9b821a6e4fc935

SHA512
6a10a8b5058ee91824274fc9c4076e2854b8ceb641ec9cc6334b5977af5dd6c73430296ce6e7d715ed6dbc182bd6d8b20860efb89f583b011e7179043ac767a5

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
256KB

MD5
f10dba566968f9f011040e73af621b33

SHA1
71d294c90f5d8505f7cdffaf644a9741e931b453

SHA256
7a13b578da303ee8c6b2ff2eae74e4806279ecf12e5015db8624e5c1e82ad9fe

SHA512
958f643f1fb20039656c2b02bf46f48def0c3c48499a2b12022a05c504e224bf9b37f9cab37fec1c2451017b514560187ab5e2c55abc973875fc6eff976e69ec

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
256KB

MD5
72dfe34a6d6b4a7bf5febe0b00ea3a4e

SHA1
79faffa3ff7f82e4140a0c14d251eda5d849a221

SHA256
50155378e189d95132b2f3fc32c89d8e3e4d70154627c9759b976b48cfe306bd

SHA512
560495d62ea16f042fedd9c117214bf9129d354a0a20a6c2c57818c42ca5d1f78853e17c1a9058aab6b3e28a89c22dd979487665c1455dc179f83210a0fee7f5

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
256KB

MD5
6b0a5c384700f0301261f6c7a7e9406b

SHA1
d7a4b7b86e072423efd6bddefc5ae4e027dcbc67

SHA256
83a31ddc11ca7d481753a4c8f29106d0ae8e8f22a4430c035cb7b1d782d33dcb

SHA512
98615960372f88e2a26726d7dadc1d9a78e3ec61e9cf473980f38d7fe85cfe87e7dee957571d52ad9f21160ab556792af36d5a47925e1a7692f9df8364402361

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
256KB

MD5
97258427b142e436d423fbbddd61e519

SHA1
8592d072d09fff0966ee490f47a5a7f9bf834ed2

SHA256
ac6c2fa06c5ae3dace8084a49c344ca217b6922ed3f629f392e10272f67fae52

SHA512
e05afefca860eed4faaff77f046914dda71a4f9195b243f0289df39a630088cd6d46b16268267ae5afb32ed8a37e43666a87f36a331b187190f9e4d18d3df21f

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
256KB

MD5
cd006e4b2c817ae910d967d29974a269

SHA1
5b55b8f50d2a56e14055ffb54ff4f078be3eae51

SHA256
1726b836994d651a8d36befff85720f5c1e4914a816aa821554e6d8ce1e53cc8

SHA512
c0a5865dfe3922d1766cd60cb44382d75135ed1df06f327696e0a02357ff38ff5a1d4622a6d682f4a9d37148ffeef24dc75762dd5cebad2c08cd305269633faa

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
256KB

MD5
fc59e280524bf4c61c32555fea2a2478

SHA1
ebf24c19ead6b5d91bdd1fa5c5e245e74d8fa89b

SHA256
028bf1991509ff5587908833b2fab0b494a6a2d93c2a61ee9ddfd31368e3bc12

SHA512
9558a5d181d124182bda39f74f3edb85c59b1604a663b90d31a790b700ad15b071d1811a635e908a383872671d6127339525139a7feeff421ab65cbfba7c49f0

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
256KB

MD5
f4bce224bbbfa8abbc1fa80046d84797

SHA1
8fd3f0df2b59d6f05a8474a680667ac930d7d090

SHA256
1d9cd84b54296a94a55467d44aab6dce8280dabf610c2e49d4e7747d3e3bb3fe

SHA512
a6f410dc141910bd717dce066bf07abe071c672ab0bfb470d2a3eea577d67f273cae8880f43bacafd218f2365b7367666436240048f6abfdef73adedf7354aa8

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
256KB

MD5
9800761a0df641a07f05b6d0309def05

SHA1
07e0a06240a05e37de000f28762067445931287e

SHA256
f207c778970bbb92a62a00f3560cde94b3b535665d50334006034493a96391d0

SHA512
3ea779bf4fd8d083375e50552fa3c1e7438d4f18b04e79ee784f0a62bf66ca536d165d5a9d0ebf456df181211010d6f84b8c97be62fac36f6eb28daa1c040cf8

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
256KB

MD5
73e8fb798e8f28d1a7a3e5be956b3f8a

SHA1
c419aabb3ab6a921e3d2f456731d0f5853548d07

SHA256
988121efe0543f9b028e9784ef18738d69475796d66f27d61a4d1568cb92d4fc

SHA512
38af1437d6a8067de19fde84732f3b7f62d6dac2a570c0801e274f57d7c08ea94676755a32f853564d518d666ab6e0b86d8c1978e930a3e71f0a23896e1099c9

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
256KB

MD5
08c597a4cd3b6195a4c5f5eeba502d1b

SHA1
ebd5098a87107fe7280663bf32e9f930c520e20d

SHA256
167651f8f8b73cfd40279a20c075cf5adcf3c14108237283392bcb27d1e01000

SHA512
531cabc8ccb33a6bc5e5e80b8b030c042bebc479e838e43e2fe6ba45309520d38c4965b87ea3c4b234f5601b884b9dd3ecc7e5247e60bee0e344f7ce111cd5a9

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
256KB

MD5
d48cc7051fc6f75579bbd24a4a7710fe

SHA1
ff87b0d177347b022ba25278a0e1d6d3c549dfe8

SHA256
139d905b3cea99d2411e8581f75d7faee89d748217c22a923c1ab29232442c83

SHA512
55fb052fcc5342f0c8ae4198fd2c185ccffa0e53134e6bf1fbf7d7a2cdc7e9141010b82923e9bb0fc1d5ef2dbda0542acfe645f2ed15a68d94bbf5a33d7fed20

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
256KB

MD5
3486ac8a0660500e21459a38efca2d70

SHA1
e2b9ce7b3ff2a6b9c48d6238b6bea411100e9f62

SHA256
e3ea967b2d5848ed87256168604961c2c78d8188a34e0945dd8222a609e08015

SHA512
2e21e0e4dbb32e43f4ebe342136d70d9441e303fffb6e89fd4a583012d59cdc80d0e8258b46b913525f54a452218edcb422d79cc6ed4a891e3c9c88cf28ad23f

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
256KB

MD5
c1018740cdd0dd56b1fc0642c6e35a5a

SHA1
a212ab70f1a7d279e02643e0fe0314c2a9484656

SHA256
7633def3543d58710eb088e1379ac34c1e3d5c9d03b658a2720d3399afb59462

SHA512
bae9e4b280912d0f774b63a8becc1809761a77072360480325baf6d0ed63339c3bd6a07278a93e81cb8e220bffee928a14a026245e391f17851ddb106b39edc2

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
256KB

MD5
d13871468f6937650290302d1115af63

SHA1
2d8f8cc7575d851a2cebaae0f9f80847bf218125

SHA256
8554f2be3bce1675cd3f678da69a88ddec681093251608bb247c807359b86677

SHA512
6b6662230c37e00608f6fc3a00f60c30277cf2844fc205302396fe977f052dc10b26fb90da8e14855d37926e6dfddedc4f528b5f1e7f9c27aadc0d428dfd8960

Download Submit
C:\Windows\SysWOW64\Hpenfjad.exe

Filesize
256KB

MD5
d1be97cd8f6710a22aac370a790d8745

SHA1
de1fcda32d31bea2b86ccaf897cd27a7b58f6266

SHA256
ff03b6de08a1e48d63d83872c76354ca2e22d9a963d6d530fcc97aafbd5b03e3

SHA512
d6883810e6cda36f8ab894166bee48a154ee9861005f1de591571ea2240a8382c3fcadad823f5c6ff569ddfdc665cf06371cd9c2d22008fa838b4d11d9c18d73

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
256KB

MD5
68513e98351e03d6e31be32c2f96bc0f

SHA1
a29229daccf6e4eef18bd6c4c902fa183489be73

SHA256
6f3663a81d8930d8c0bee81cbdb7a4f5a3de92321b46e1d9cde1a2b591089bf3

SHA512
1fdd4799bc017283206009ca4b18d0e91d49ac598bf41f073b2efc4a3a08d66ecf9d853c2f39ec3a87a97d462fea01076433b8c0e51a01de76499209ab9011b2

Download Submit
C:\Windows\SysWOW64\Ibojncfj.exe

Filesize
256KB

MD5
abe8d7588ab02541f0699ffbcaacc29a

SHA1
7146879e2dfc9d1f378079f57cef7a6908aaee8b

SHA256
40283a6edbb15dcdc2913d2f972580cd5da8b4018e6bfdce02c8e05785d76834

SHA512
2416fdb7eb6a076ac32bc79c51efda3c71c67d14af0ec7489ac384e2b1ced701306976594faac53e74893dc3cefe7a19884c2828f94f9d1808fa4e603afc43b7

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
256KB

MD5
bd4d6cf068f551b29077d6a30ea431d0

SHA1
d547bae573b3cbb9a08f0e621dd41befcba33c94

SHA256
ea241ed462d5ca4709c551926615a1422327492db5ea7d59fdbb6fc9c398f976

SHA512
15746dc2c771508c7371ea223c6264abae1e00e435da432f221e1d458313b7abeb23f88d692635c5eab94f19487c93ee054feedabbaf3462d860f8520c010bee

Download Submit
C:\Windows\SysWOW64\Kbbfkb32.dll

Filesize
7KB

MD5
3c10e1711c4032742f3698948b6431c3

SHA1
fcda9e4daa3a8fcde9f38e7932d9016b6ff49a9d

SHA256
18ffd4d8b0141892cb797b89315f3f56b3ce8f4e8c0025bc0fe431a35ec0532e

SHA512
010e66d161e7e16caba77a499ab642f1705e3d4352c9c39ecbe683d6c6d3ac80d419d10edded577a47e106c46b29675a62e6b04cad66a5ef8feeeeac294c5b1a

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
256KB

MD5
1e5fa5a38a6de9f8a78605754cf162b9

SHA1
794378f5852332e72261bd2ce1f447de83a1dcf7

SHA256
224039285e7e6d41753983200218f419e8e2c020c43d5c422505f3343a6bfc00

SHA512
5dd311feca905fe5e1aa2074075253376dde4135817d4115fe72d299a1e34bc6d637406d0003b94368b891f6dd0e540cb4336d92dfe367af8362ccb8b2fa04d9

Download Submit
memory/228-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/508-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-374-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1000-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1372-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1380-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1396-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1432-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1516-410-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1544-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1752-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1756-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1764-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1892-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1956-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-350-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2688-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3080-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-220-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3264-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3296-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3404-344-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3468-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3556-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3620-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3700-308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3732-272-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3756-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3888-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3908-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4032-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4088-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4212-398-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4320-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4456-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4564-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4572-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4576-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4592-104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4724-135-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4748-204-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4752-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4792-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-446-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4844-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4916-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4924-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4932-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4940-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5004-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads