1d6b90f07390cf17e7acd6aaec7d1d7430a0648ea8570b3cd5c2bae1e7c2aaa9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d6b90f07390cf17e7acd6aaec7d1d7430a0648ea8570b3cd5c2bae1e7c2aaa9.exe
Size

196KB
MD5

4a006107239a29625318a6491a78a982
SHA1

93a57d0798a7e182276e69d3cae32fe52ecfefa4
SHA256

1d6b90f07390cf17e7acd6aaec7d1d7430a0648ea8570b3cd5c2bae1e7c2aaa9
SHA512

6fe024b59cb3992679231b52cd29e72fb803cb4b22a186401977015784c0aa0a5bb0aecae3201d5812cb80bf5af019c1a096ab625bcbba8c6b75e527f45c783a
SSDEEP

6144:fpQAjktBTsa81+jq4peBK02SjSM0zI6rH:mGiTs1+jheBwSv0E6rH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjjjle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1d6b90f07390cf17e7acd6aaec7d1d7430a0648ea8570b3cd5c2bae1e7c2aaa9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe

Executes dropped EXE 64 IoCs

pid	Process
4748	Dhcnke32.exe
1952	Dpjflb32.exe
3480	Dchbhn32.exe
832	Ejbkehcg.exe
2140	Epmcab32.exe
1148	Eckonn32.exe
3708	Ebnoikqb.exe
3868	Elccfc32.exe
5064	Eoapbo32.exe
3152	Ebploj32.exe
5004	Ehjdldfl.exe
4252	Eleplc32.exe
2244	Ebbidj32.exe
3672	Ejjqeg32.exe
1508	Elhmablc.exe
4004	Eofinnkf.exe
2440	Ebeejijj.exe
2332	Ehonfc32.exe
2668	Emjjgbjp.exe
5036	Eqfeha32.exe
2304	Ecdbdl32.exe
4780	Ffbnph32.exe
532	Fqhbmqqg.exe
2412	Fbioei32.exe
2780	Ficgacna.exe
464	Fqkocpod.exe
3300	Fcikolnh.exe
2804	Fjcclf32.exe
3840	Fmapha32.exe
5100	Fqmlhpla.exe
4392	Fopldmcl.exe
2856	Fjepaecb.exe
1616	Fbqefhpm.exe
3472	Fjhmgeao.exe
3464	Fqaeco32.exe
960	Gcpapkgp.exe
3944	Gbcakg32.exe
3172	Gjjjle32.exe
4788	Gmhfhp32.exe
212	Gogbdl32.exe
2500	Gfqjafdq.exe
2496	Gjlfbd32.exe
1884	Gqfooodg.exe
4644	Gcekkjcj.exe
3028	Gjocgdkg.exe
3212	Giacca32.exe
4652	Gpklpkio.exe
1932	Gbjhlfhb.exe
2900	Gfedle32.exe
880	Gidphq32.exe
2020	Gqkhjn32.exe
2312	Gfhqbe32.exe
1052	Gjclbc32.exe
4380	Gmaioo32.exe
1004	Gppekj32.exe
384	Hboagf32.exe
4900	Hjfihc32.exe
4976	Hihicplj.exe
4272	Hapaemll.exe
1348	Hpbaqj32.exe
1608	Hfljmdjc.exe
4620	Hikfip32.exe
2068	Habnjm32.exe
1496	Hcqjfh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Fqmlhpla.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Eqfeha32.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hcedaheh.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ejjqeg32.exe	Ebbidj32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Dkfpkkqa.dll	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hihicplj.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ffbnph32.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Iifpphha.dll	Ejbkehcg.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Hjfihc32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Dpjflb32.exe	Dhcnke32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Ehonfc32.exe	Ebeejijj.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Fcikolnh.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Ehjdldfl.exe	Ebploj32.exe
File created	C:\Windows\SysWOW64\Hdgohg32.dll	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Ebbidj32.exe	Eleplc32.exe
File created	C:\Windows\SysWOW64\Aqnhjk32.dll	Impepm32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Gfedle32.exe	Gbjhlfhb.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kmgdgjek.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Eckonn32.exe	Epmcab32.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Jiphogop.dll	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7756	7688	WerFault.exe	303

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hihicplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkefnli.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elccfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbplof32.dll"	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqqjmnii.dll"	Ebploj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 4748	2208	1d6b90f07390cf17e7acd6aaec7d1d7430a0648ea8570b3cd5c2bae1e7c2aaa9.exe	87
PID 2208 wrote to memory of 4748	2208	1d6b90f07390cf17e7acd6aaec7d1d7430a0648ea8570b3cd5c2bae1e7c2aaa9.exe	87
PID 2208 wrote to memory of 4748	2208	1d6b90f07390cf17e7acd6aaec7d1d7430a0648ea8570b3cd5c2bae1e7c2aaa9.exe	87
PID 4748 wrote to memory of 1952	4748	Dhcnke32.exe	88
PID 4748 wrote to memory of 1952	4748	Dhcnke32.exe	88
PID 4748 wrote to memory of 1952	4748	Dhcnke32.exe	88
PID 1952 wrote to memory of 3480	1952	Dpjflb32.exe	89
PID 1952 wrote to memory of 3480	1952	Dpjflb32.exe	89
PID 1952 wrote to memory of 3480	1952	Dpjflb32.exe	89
PID 3480 wrote to memory of 832	3480	Dchbhn32.exe	90
PID 3480 wrote to memory of 832	3480	Dchbhn32.exe	90
PID 3480 wrote to memory of 832	3480	Dchbhn32.exe	90
PID 832 wrote to memory of 2140	832	Ejbkehcg.exe	91
PID 832 wrote to memory of 2140	832	Ejbkehcg.exe	91
PID 832 wrote to memory of 2140	832	Ejbkehcg.exe	91
PID 2140 wrote to memory of 1148	2140	Epmcab32.exe	92
PID 2140 wrote to memory of 1148	2140	Epmcab32.exe	92
PID 2140 wrote to memory of 1148	2140	Epmcab32.exe	92
PID 1148 wrote to memory of 3708	1148	Eckonn32.exe	93
PID 1148 wrote to memory of 3708	1148	Eckonn32.exe	93
PID 1148 wrote to memory of 3708	1148	Eckonn32.exe	93
PID 3708 wrote to memory of 3868	3708	Ebnoikqb.exe	94
PID 3708 wrote to memory of 3868	3708	Ebnoikqb.exe	94
PID 3708 wrote to memory of 3868	3708	Ebnoikqb.exe	94
PID 3868 wrote to memory of 5064	3868	Elccfc32.exe	95
PID 3868 wrote to memory of 5064	3868	Elccfc32.exe	95
PID 3868 wrote to memory of 5064	3868	Elccfc32.exe	95
PID 5064 wrote to memory of 3152	5064	Eoapbo32.exe	96
PID 5064 wrote to memory of 3152	5064	Eoapbo32.exe	96
PID 5064 wrote to memory of 3152	5064	Eoapbo32.exe	96
PID 3152 wrote to memory of 5004	3152	Ebploj32.exe	97
PID 3152 wrote to memory of 5004	3152	Ebploj32.exe	97
PID 3152 wrote to memory of 5004	3152	Ebploj32.exe	97
PID 5004 wrote to memory of 4252	5004	Ehjdldfl.exe	98
PID 5004 wrote to memory of 4252	5004	Ehjdldfl.exe	98
PID 5004 wrote to memory of 4252	5004	Ehjdldfl.exe	98
PID 4252 wrote to memory of 2244	4252	Eleplc32.exe	99
PID 4252 wrote to memory of 2244	4252	Eleplc32.exe	99
PID 4252 wrote to memory of 2244	4252	Eleplc32.exe	99
PID 2244 wrote to memory of 3672	2244	Ebbidj32.exe	100
PID 2244 wrote to memory of 3672	2244	Ebbidj32.exe	100
PID 2244 wrote to memory of 3672	2244	Ebbidj32.exe	100
PID 3672 wrote to memory of 1508	3672	Ejjqeg32.exe	101
PID 3672 wrote to memory of 1508	3672	Ejjqeg32.exe	101
PID 3672 wrote to memory of 1508	3672	Ejjqeg32.exe	101
PID 1508 wrote to memory of 4004	1508	Elhmablc.exe	102
PID 1508 wrote to memory of 4004	1508	Elhmablc.exe	102
PID 1508 wrote to memory of 4004	1508	Elhmablc.exe	102
PID 4004 wrote to memory of 2440	4004	Eofinnkf.exe	104
PID 4004 wrote to memory of 2440	4004	Eofinnkf.exe	104
PID 4004 wrote to memory of 2440	4004	Eofinnkf.exe	104
PID 2440 wrote to memory of 2332	2440	Ebeejijj.exe	105
PID 2440 wrote to memory of 2332	2440	Ebeejijj.exe	105
PID 2440 wrote to memory of 2332	2440	Ebeejijj.exe	105
PID 2332 wrote to memory of 2668	2332	Ehonfc32.exe	106
PID 2332 wrote to memory of 2668	2332	Ehonfc32.exe	106
PID 2332 wrote to memory of 2668	2332	Ehonfc32.exe	106
PID 2668 wrote to memory of 5036	2668	Emjjgbjp.exe	107
PID 2668 wrote to memory of 5036	2668	Emjjgbjp.exe	107
PID 2668 wrote to memory of 5036	2668	Emjjgbjp.exe	107
PID 5036 wrote to memory of 2304	5036	Eqfeha32.exe	108
PID 5036 wrote to memory of 2304	5036	Eqfeha32.exe	108
PID 5036 wrote to memory of 2304	5036	Eqfeha32.exe	108
PID 2304 wrote to memory of 4780	2304	Ecdbdl32.exe	109

C:\Users\Admin\AppData\Local\Temp\1d6b90f07390cf17e7acd6aaec7d1d7430a0648ea8570b3cd5c2bae1e7c2aaa9.exe
"C:\Users\Admin\AppData\Local\Temp\1d6b90f07390cf17e7acd6aaec7d1d7430a0648ea8570b3cd5c2bae1e7c2aaa9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\Dhcnke32.exe
  C:\Windows\system32\Dhcnke32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\SysWOW64\Dpjflb32.exe
    C:\Windows\system32\Dpjflb32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\SysWOW64\Dchbhn32.exe
      C:\Windows\system32\Dchbhn32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3480
    - - C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        25⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        27⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3300
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        31⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        32⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3172
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        43⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        44⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        45⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        46⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3212
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        51⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        55⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        56⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:384
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        63⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        65⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        66⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        68⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4764
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        72⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        73⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        76⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        77⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        78⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        79⤵
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        80⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        82⤵
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        84⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        85⤵
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        87⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        88⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        89⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        90⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        92⤵
        Modifies registry class
        
        PID:5388
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        93⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        94⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5524
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        100⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        101⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        102⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        103⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        105⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        107⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        109⤵
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        110⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5208
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        112⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        113⤵
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        115⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        116⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5688
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        118⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        119⤵
        Modifies registry class
        
        PID:5812
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        121⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        122⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        123⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3552
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        126⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        127⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5636
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        130⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        131⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        132⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        135⤵
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        136⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        137⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        138⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        139⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        142⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        143⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        144⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6156
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        146⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        147⤵
        Modifies registry class
        
        PID:6232
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        148⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        149⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6376
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6420
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        152⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        153⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        154⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        155⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        156⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        157⤵
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6776
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        160⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        161⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        162⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        163⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        164⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        165⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        167⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        168⤵
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        169⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6456
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        171⤵
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        172⤵
        Modifies registry class
        
        PID:6644
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        173⤵
        Modifies registry class
        
        PID:6696
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        174⤵
        Drops file in System32 directory
        
        PID:6748
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6896
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        176⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        177⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        178⤵
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        179⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        180⤵
        Drops file in System32 directory
        
        PID:6280
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        181⤵
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6604
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6732
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        184⤵
        Modifies registry class
        
        PID:6864
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        185⤵
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7132
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        188⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        189⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        190⤵
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        191⤵
        Drops file in System32 directory
        
        PID:6164
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        192⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        193⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        194⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        195⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        196⤵
        Drops file in System32 directory
        
        PID:6624
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        197⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7196
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        198⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        199⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7276
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        200⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7312
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        201⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        202⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7404
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7444
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        204⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7480
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        205⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        206⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        207⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        208⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7648
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        209⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7688 -s 408
        210⤵
        Program crash
        
        PID:7756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7688 -ip 7688
1⤵
PID:7720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
196KB

MD5
442369764bf5d77ac025741b61e8c374

SHA1
b203e9c470025b4994bd716a70e2045da9a652fa

SHA256
0d5dc9e8a4aa157fb1b9baa176962f95cf531d41b5b783c54441b36e47491f87

SHA512
677cfb32e09f3a9628b5b8f9dad3e8ff1b7b09ef932b255aeda9576a6ac0ac060d7460c6f6b808792506085d092778c9b26de8a46536dc53ab5fc8d5718aa3d2

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
196KB

MD5
dc492b66b8f13576ea5ba8483497e47f

SHA1
71388f70e11f33cda23cb80a9a2c2614e428a1dd

SHA256
5a5dfbec3457c33894603a764d3f93256cea831dcddff0023765d7d64dd76306

SHA512
08ca5be7d4b1b64c367188eeaf32bac2891eb2e08b6684606101501c60cc0041b329fdb164853e3dc13af334699ba0692a6879270eaa0adcad470a6223d31ddc

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
196KB

MD5
551acec08a13484ef8dddedc286fb03c

SHA1
b7d1ed2443153ee02003e243c6c784cb3e727c7f

SHA256
74d440de0108b91e0755f8caa0cb27434865c840aa212a0243551942316d88ad

SHA512
bb66b21ecb8e91a4e65f60e994f04d6aa3bc9fe3efb2c19d2b74b7da426f9f4eeb301d432ac5ed7edccbba8454955f5df3b5aa0403648bde309472c5008d57c7

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
196KB

MD5
ac632324447787d777788d65e8e88e7a

SHA1
9aa51ed5c785f6faf8df6c21402a946363911a22

SHA256
eb32e2c8e0da8ef21602422fbe1a19e5063addc212161d5f50370180981382cf

SHA512
334395ec9dbc9c82bf881ca7f1cc787ddc3fd95e3b6900a6111d99fd2913fa6a4846dc88a8dc93e8790b70553b7e038f59afd150a3abd88c381c7e52bb66911e

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
196KB

MD5
24e171ea1023bfa18b73c2810c735f5f

SHA1
2afdda241521dae57f5ff29da291716d6ea50fcd

SHA256
eb1893c3ead08700353d09e6ebc3465fe3a52ff64dc2c90117793f469844ab8b

SHA512
1e6dbd34e0c11eb597806201bb3155def65cc62bcada4d17fb9edba0d25f69f19dabba2e3a9435cedaa2837ae43fd69eaa304216dffd539e9648c5ae5304bd60

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
196KB

MD5
232732bcc053d5aeebfdec9a564f560c

SHA1
73dc1e74ab72b8363ea84dcf599fe3b28e7acedd

SHA256
34bb36db253c14f35521a4e2e29ee8bbe08a3a17727a900dfb7b0a6a7205c47b

SHA512
437dd9589f4021e281e5404717f53a8e82759fd292a059a57daf117c305dade90aab7c226c5093653a58ce23f4d5f4ce4031aef1ca726603846a2f12c6c78fc2

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
196KB

MD5
b143c61bb71d9275845eb6988e279a5d

SHA1
4f99d2f5000da7254b588338be6fd9d88d141380

SHA256
a67588c855950666a67f3b81642e076839ff9d8aef8c2a05420d214c2fc6a0b2

SHA512
57dba2f93aabc924c3bad16e01c57143791fbcc6a1d1078b353d7b530f0c027363f25910188bdd8ea72193bbfc25c3230da7706b0581d69ce91234ef1be14109

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
196KB

MD5
0f5acc10fc3f1489a29ed11c64875b4d

SHA1
f17dbe87c09a61b56556b3bec7718f3f977b6d21

SHA256
345fc9363e85f5a96df44346f7194c24acefbdf4a347e877191ae955b27d4ef1

SHA512
708216d5506a0df04f495eb413fcd4f4f2e119bb2c7e467b444cca21ef942a24334532d0dcbb603f8a0f1409248ab326e93f9af4e36bbf9f9523260d6927a3b0

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
196KB

MD5
a1a85713aad0840df1fb381c4d5c24cf

SHA1
63698f16adbbdaa7e09c79e6f9312d244573b228

SHA256
ac18cf784981becc25b5db2159ec5836b64af99fa040673c02632c14e1263a5f

SHA512
af34cf285c159690991e1516a5b0442476a1c61909bd29e78629359cb1fd378ad2e8c6e760f490a70449e7abe8f0227c1d5770b34d58250e5e3f0f90203f196a

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
196KB

MD5
7f5389d867027d4e0e417ac144fbcc10

SHA1
8f76bd3962826dd9daeec36c7bca5023919a2696

SHA256
762ce75b9c400f121ab389b90f5cee660f1a44ad074ac60a5fc4ec80346aa17d

SHA512
5331b9ec09ef0a69f2eb5d57377c32d54ff7b3be62f9510c8b59d9955f2b554de33073ac41303482061f744d8198686e26206d13b494cc50c4b41c62c3f2e34a

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
196KB

MD5
e8af665f9991537f79060854e91edd87

SHA1
be9413aab1e76304b75957757654eadccbad7e29

SHA256
9d3cd94df1f0f6e7e91380e3999214869b27d5b3cb1fcd70f6c44f645431b954

SHA512
f9f78989e27974afcec7915fd6e2943734a7adc8aca8ab0f87d8ffff43a74ca3fbedf2b85fde45bf42c7d8c961fa7cf1121b0810351de1fdf3513bd4fceab418

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
196KB

MD5
6685a2b2f27bfdba0394eba8faf2d2bd

SHA1
9f6c810c5c73d5893a0f61d2b8bf0571f2b76841

SHA256
bbe9f4d59502d5fb69d3d764cb7a78660b168215bfec4231a6caa57a88913206

SHA512
8e11a002d1b5b723fede0770f5b96e2b44029564808afcc6bb2d1afccc94c3f69a8b88c2e7a2fac53128174eac9abf98be77cde6ec0cdf440d43608ed7f10c69

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
196KB

MD5
62fc19bb832def060ba3578680cf26e4

SHA1
6d4a85354d553ae920cecade7420fcf2f3a4249b

SHA256
3f440ab7668a6534f62f194c0cd7af208dbcfed8be9537aa4eb8d0824ad795cf

SHA512
f830da07c369cf0d85c1ef03461858d38d6f83d912a8c689df0d9cc18e3f6b346cc803cea5c0f6966c774de491c72972603f7568169ce1c8354ed0831db9cf31

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
196KB

MD5
b8c328891e720bc8be4216a238cf4fe1

SHA1
9ba41a5491a960690d2a3fc772bfb66cfd15adb9

SHA256
0eca7ff9f7f093d065ac0289a983a598772cde350954c738efa61cc4006a6a6c

SHA512
b06f087e879cd2b5ccb52e9a682675bcffc00e3a9ae8368d94af6764722644431262463d6e0d289447b26706147864e3c1758ce5089d4d9774d509016dc2e982

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
196KB

MD5
7b62b92090de1c5b3cae8ac348ee972e

SHA1
d45d4f0030d30658d2333c0b7b17cc4011a8fac0

SHA256
be046df51e0c99b76b05956db9b2698768848225627ddb11b61258b5f53b6e55

SHA512
088f5165afc1157d1c88c41f213ef0253582e4d1994d18f657ddf94f7d0845ebf46d6a69c80a141b4d05e6d7bde4d0d7ab7215e9ce443450454193098c1ee322

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
196KB

MD5
ce6647ee4757473808d3c7636c1575e8

SHA1
9bd2eeee907ae9fe1e27859333b163681eabb303

SHA256
cdd5aa7c4c2fd7ff3fb33f3711ef04a9135182302fa32abde0fb8e7a37f068b9

SHA512
1fc4be16353aa0e68b4d08473e11a4050f634f2bcaa22f56dcd9d8b492519dc867e4e49827af445c6c0c1ec0dac4e981e7cc0e734752e235c0a765c9ddff6a2a

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
196KB

MD5
69dbd9a610d16e35b3ac071d383898f8

SHA1
178b654a97166ee086b627a3c0887840daa1ccc2

SHA256
0ff0e9243ac49a48a438111c282d2059bda2dc3dc80c192b4ecb069d540e4ee5

SHA512
fef6663756e6ee10502726a6b1aa9ee22be2dea7b31fdcfbbe05a35616a113f1be29835ec95511e98c3ee480569592e8d49d1fae4b3cdc990c627335a9e300a7

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
196KB

MD5
d46a82a4399b977a19f2cdd48e8d3f2d

SHA1
b1cd92b16abeb9074b0b3f09ac16e03b29058869

SHA256
0d43c1cb256a076b9e85ff2703ed2b38d5aaacb94264e21aafcf16c59aabcf65

SHA512
da0f5f983af75936566b0781f97e4867b262011e3152e5f3c93789d500b8a7fffba8845f30fb0f414b52924ecdb7907722d9043c434a8cb204bbbdaf5aca70ea

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
196KB

MD5
eb93f7c0a1b848188be5698797e197fe

SHA1
b3ce1f5a16a7677eb657a3e8b6f1def7b7e1a91a

SHA256
459e8bdc93b22e65257fdbcdc04f5580bdbb0705d7a2e8589df0aec7bada4382

SHA512
c8256743d5939a332a92dbc7b8311019ce15d11a2a0019cefeddbca35fcea92afd9adcc60e855b383321fbd21b8497f807f275d705f51d185706cb5616a47cc1

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
196KB

MD5
5ee6d273e510bf403b21ccf063a779b2

SHA1
ee5dad65ece323c24ae5d423b0569bf7ccbe9a78

SHA256
4e40447664d04bec1ea783f091f088ef9c8f1c269902a682f0cabd23ed9b0daf

SHA512
d2a5f2c505179268704239d4890aab9ce1a6e55da6e50212cbef0236fc809d62e9ace698c318399cc87b4cc3063b1feef878a4f4b0aafd546f9736d1940c75ec

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
196KB

MD5
b3985ffcb6cd8b9c33c3404d7441e4f5

SHA1
22557759ef77a4240dd69a2481130922c43f5048

SHA256
4aea8ec16e0529c67e81e9665e21cef7d108818a5348a17cc68d801c1d788271

SHA512
16c36564f797fff08758cff6fcfcc9c82a8194a52bff3e7260988e4ff9703b22aec28be9caed76f00c86aa9c6c3ec91e369be2b91b159fc7b844186af04caf7d

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
196KB

MD5
cf0c25ff41c3b2451c3095110946ce25

SHA1
a1f9e44c904a2a85ece6b384da37812ba67754a1

SHA256
81f0e0c8cbc3c0161b8b9aa9c55fbd095e542a94488f0a91cf395404ece303b1

SHA512
83fa70aa91db531fae1b487bd76e9d3ca8ecc81e21f27162e5b5a244917f10cd712343a622cb5074448d76ee9055c8e806c29e0ab0fd40376a6ceb0df67edafc

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
196KB

MD5
6f9bf4b8c09524afefb4da6773375170

SHA1
d5deeeeb2db145ce01ea077a0b1caab9332d2723

SHA256
88fd16f5cbb1c9221f7b2ec741f3d36d9611919fcf8fbc5361c0b7f5a0439512

SHA512
8c4bd79acc167ae6eef517f63346235b44cd0d08729d8abe30b8a6706f13141b0dff194e46b8f1f47376bf9dd69f0dd0e0f3acffaa8915ec48ec105808c5d121

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
196KB

MD5
901d75f1cca22093ea127b3dcbabbc8c

SHA1
5b9f99e7bea50b5154322c66b613dd9886fd01be

SHA256
1e99f7bbe63a790658d8be221461d26f533c26b78f8d5085a09823dd8fd54ab4

SHA512
8e8da82300ed23b2e1c11fa9632d9c3c76f85b37413a3c4b8863d1b40bb968ff28b75d3aeea0f2fb1bda905525429d70ca5a09303920c30fc8b33cbdb56d587e

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
196KB

MD5
0255289941919c0eebe4ccbb589f0755

SHA1
cbc5a9920431909ca6d89f803820fdcbab7885bb

SHA256
06717030ea56aee44ab7e72b11a0ac6df59ee7aadea4c6735b821ad4b4ceb623

SHA512
23854b26a0dea77077c264d68fe2774c9c9527355fd008962314597ad5935a740a73edabce979afa05cee098bbeeadb69994929a5276c9ba7faf5613405949ce

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
196KB

MD5
f39ff249c7478ab998cfa20f32f70dfc

SHA1
0a706d2a6025bcd6eb7ad515d834c7cd3fa490fe

SHA256
4fb4743c67d2a4bf622e06e40c105f8d057bfd0d4c67e5e04efc9f958af09f81

SHA512
2783b2c820e79e9636673de51584ab7b52d6568577784a6d111ee8c5aef2ff2e30e8149e37c568c387fda28a58192d50595d39ae0ebe9eaee047f50140f58fe4

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
196KB

MD5
c36a0815bdb36edc1ff1d5b862e261d5

SHA1
cc20afb5ed71e1ca48998768b16f5fc59cc58d57

SHA256
62d13926ed39a96af2ec07acd6bbd642d5e2569b7113a71d31949612d05beded

SHA512
0d446e2857e274cdfa788b48e931199d80c622f4d096fe5129f2552df911bf1e2a39507bc6e120be85d1d1b0801541d85af135d3e233bd7b1e8970c455bb7b68

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
196KB

MD5
beac472cdfb37268fbfa01088f7865d5

SHA1
ae71f6db0cc167d3bc764b147ca3407170653c0c

SHA256
6f2a16eddba80d9cc0d5bfa11ec3d5c4320783b3506aba464fc723a43d9c1dab

SHA512
313d465d44300240bff6b2c86be0b110c78841bb99dba94a5e5cb348af5257b16df22c3f77ecdd74574d1ed1dc8875e191f794d41890d16d5d72b75d3ab5646f

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
196KB

MD5
8782038c15b113fef628c6f4a2080be5

SHA1
b90b710ee349461ce9e20de68c3dbae76b9c28f4

SHA256
d15d2d6f67508530adc266c9758626234102ebe7ab4036e8e6f3c3b8d9d58bbd

SHA512
cc2d6fccf468b8dd0e519a0c2362959633bafc0353fba4d3d850b013b54cf1346a394aca55b1b8c7a4b4eb28101395815f3fa539f49db1f4f81547cf67690a20

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
196KB

MD5
346bbfca1b830bb93730022edd67ea23

SHA1
65e2ed0df0f92a49e55df33070abb29ad1230fd4

SHA256
a6bc5978b2ebbb47378e911e4795332fc2ec78c8bf9e6966bf005b6d008b7d14

SHA512
04e7c9a924f3503461e8234f735f9866c2c98436d9372c806a6b3e93694781153a0134ac07ae6258fdee5d8d5b8698cdae5c52cd524e498d54484b2df033009d

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
196KB

MD5
fbf92bd2210146cfadc348373be17901

SHA1
cc3b129966e4a6b3c8b12e0281efba8c0448e11b

SHA256
a0d6611aae71fd0de8a2ec4a71c928856d0e8c2269678c833cf991296d0e484b

SHA512
09315de9cbbf2a838fd8431b3a23370a80bebf8e023cd1e45c1627f077ceaf24e86c6b4089dc6a6368067ed56adff98f7b12eaae6189b355cf876974f032762a

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
196KB

MD5
efd6702f9590ce860dd756e1d99cf4e4

SHA1
22a96abd3e5a87e9411275202ebbcdc655541a97

SHA256
839bfef83505962fb52587173ba1bb92fa9cc392d8d6193a83958140844d5f20

SHA512
87c7c93f8e97dac90c704e7bb172f780be080a61aecd085c30d50eef43b8581ee05ed46cc8bb19733933cef3d2231a9660e2a9de6060561e6614e1d237760bbb

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
196KB

MD5
f1094b9c66b82420a77161384e01dd64

SHA1
754dc3ce654f1c9d5e4453322a0ec5b5ef217508

SHA256
e8215bada7f215efbef3de8022154a4d62b303572c98d95c411b4f4034fd97ec

SHA512
8e918470056ef0ded64d1c5870cdb9e3fcbe6debc4aad03f7316ce909b873609a970184653395a6f0ffbfe9fad4bfc8bfa8484db5546ef7faadc91e70a8ecb55

Download Submit
C:\Windows\SysWOW64\Gfhqbe32.exe

Filesize
196KB

MD5
8d9e634dd1703624661a9aaab7ac4ece

SHA1
40bc2c0d2d699578dcf9822401747f62ae971dfc

SHA256
b02d3bc065f89c05313a9497918a595fb2a376c2cf5a9d0bebafb4ab8e7daa35

SHA512
953c71c5949f606813d98a3dbbaba9766375f82491d440f50116407e66fc557a38398be60e30626b3692d8aa2043791272a6b0f475a5531a1be15e906e44c462

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
196KB

MD5
aa39c8f9a1c98d66412d3ec3a2973d94

SHA1
46233c78f84aa3a7e3002c23c44e75e242f4c183

SHA256
69a067e4444ab24b8c0f6ccea3e78f6d7951b4f62fec5e08b41ab104d9938a42

SHA512
1729e2d69bb099bc28e5c85fdb76eec8bd6d02351cfb20fc74e93b9978aee9a6480f3ea3c94b27707679e948750fc4342324393e67a71e64c65e79c303bcf4c7

Download Submit
C:\Windows\SysWOW64\Hpgkkioa.exe

Filesize
196KB

MD5
ffe1993f69e3660dce37456a7f70f951

SHA1
6bb7f7148944347f14917930a8a607fa3aceca96

SHA256
f4723262553fed4f7a30f9fa8689375c9adc56ab07fb3eafd4d5324a354ac136

SHA512
6993d2e113cd70c687baa227be51d9f3efec3d2c72a4d73751ab4d785d1257747aa2d78c2378efb5a502bfa823486ee1f72b278299ed580a03434b3d4ab653bc

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
196KB

MD5
8c1f366216957ffcc9070a04221178c3

SHA1
decdc93c0afcae6f49d4efc11ac054d0c815ec16

SHA256
a9475cfe1d33f8d5ceb2bd4e290a9bb20062bf66967331d64685b77326c49197

SHA512
168a52c16b1a0290d1b82c9e95127441ffccb7eb067ffc443784fd30486f9143ba7a759b018e111e5146a67fe19f6123aa2687ec9a3788be11341b9c4c47bf9e

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
196KB

MD5
58bac05bf5cca6056a047ec47017629d

SHA1
7512ac3dbd3efd2f97444af2b406ee2d32f41f00

SHA256
abf24bdd25d3aa53f8859b7b95f2d095b954315540d1a41ee0ae5dc359eb6866

SHA512
d8bc20ff73f5fc028eda15d50bbdb68da8c464e419c1d69d536127dd59c2a14f873ba3e23ad2101fd512da4172c8cb126d62760c6cc2d1081c92974349e70808

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
196KB

MD5
a40f0fe49fc14f1d12cd2e3ae485c86b

SHA1
a65d2f8fd21d7897933242660757ce3e03e7d9e9

SHA256
cc5ac135c6044c31e5dcfeeb47ea1fd22bf6e8b9d09583f185addc739326f68e

SHA512
d1d8129c91c89b562609bbc81643e91e8d2955de3067d61ad590b2988ca8602fbcca47347c615e864fab49274b7688ed09d5e06938071825efe4541c5dc2f2fa

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
196KB

MD5
3bcc826efef9e609b1046ee9e6525b24

SHA1
1e92d243f4b7e0e9b5138d85ab4d19956282a2d3

SHA256
26a5f4a075c87cc705c3a0c893d62b44ba0afba6e18f134d4ad0fde23264870d

SHA512
17b720823470c0a2268f3ce26d86f6a6b26196ac5a4524769ae658d6dc6f870e456dcdd6c7e5afc0a453337b14156585b22988b1b1db817343e155e5752af945

Download Submit
memory/212-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/384-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/464-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/532-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/832-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/960-285-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1004-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1052-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1148-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1348-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1508-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1608-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1616-267-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1884-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1932-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2020-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2140-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2244-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2304-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2312-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2332-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2440-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2496-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2500-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2780-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2804-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2856-257-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2900-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3028-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3152-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3172-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3212-345-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3300-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3464-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3472-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3480-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3708-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3840-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3868-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3944-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4004-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-96-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4272-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4380-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4392-249-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4620-441-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4644-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4652-351-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4748-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4780-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-299-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4900-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4976-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5004-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5036-160-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5064-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5100-241-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads