61cbee13f0642e0573d6f9520d8fcb7bbebd9b88ad728e63f1227236578e8a79

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61cbee13f0642e0573d6f9520d8fcb7bbebd9b88ad728e63f1227236578e8a79.exe
Size

143KB
MD5

a0fbf95796696b27328a1e61ff9c64c3
SHA1

101730aa48bd35dcfebc686c0f34ca7324ff2739
SHA256

61cbee13f0642e0573d6f9520d8fcb7bbebd9b88ad728e63f1227236578e8a79
SHA512

d513b982212135e8ddf597c096d513e9829de429aa62c1bdc8d7f86111cc39eba4b651f01250cacb3fcdef540ffb27603e7929e74c21dd241c0c0ca462e33b7b
SSDEEP

3072:VlW4SkkZ9elH+J0LRXDAl3N93bsGfhv0vt3y:VlW4S+e2L9Al3vLsGZv0vti

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoocmoao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	61cbee13f0642e0573d6f9520d8fcb7bbebd9b88ad728e63f1227236578e8a79.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe

Executes dropped EXE 64 IoCs

pid	Process
2620	Djnaji32.exe
2968	Dllmfd32.exe
3436	Daifnk32.exe
536	Dfdbojmq.exe
4764	Dhcnke32.exe
1580	Dpjflb32.exe
5016	Dchbhn32.exe
3944	Ejbkehcg.exe
4504	Elagacbk.exe
4640	Eoocmoao.exe
2212	Efikji32.exe
4980	Ehhgfdho.exe
1804	Ecmlcmhe.exe
4016	Eflhoigi.exe
1040	Ejgdpg32.exe
3668	Eleplc32.exe
4800	Eodlho32.exe
1924	Ebbidj32.exe
1768	Ehlaaddj.exe
2108	Elhmablc.exe
632	Eofinnkf.exe
888	Ebeejijj.exe
3476	Efpajh32.exe
3224	Eqfeha32.exe
1796	Ecdbdl32.exe
2920	Fhajlc32.exe
2836	Fqhbmqqg.exe
2736	Ffekegon.exe
3008	Ficgacna.exe
3716	Fqkocpod.exe
4496	Fbllkh32.exe
3000	Fjcclf32.exe
1348	Fmapha32.exe
1592	Fopldmcl.exe
1988	Fckhdk32.exe
1396	Ffjdqg32.exe
2452	Fihqmb32.exe
3768	Fqohnp32.exe
4312	Fbqefhpm.exe
4752	Fjhmgeao.exe
1728	Fmficqpc.exe
3704	Fqaeco32.exe
1688	Gbcakg32.exe
3236	Gjjjle32.exe
1632	Gimjhafg.exe
916	Gogbdl32.exe
4560	Gcbnejem.exe
1764	Gjlfbd32.exe
5028	Gmkbnp32.exe
4840	Gqfooodg.exe
3348	Gcekkjcj.exe
4448	Gbgkfg32.exe
3396	Gjocgdkg.exe
1444	Giacca32.exe
2860	Gqikdn32.exe
4272	Gcggpj32.exe
3216	Gfedle32.exe
3064	Gidphq32.exe
4056	Gpnhekgl.exe
1000	Gbldaffp.exe
3516	Gjclbc32.exe
1844	Gppekj32.exe
4364	Hfjmgdlf.exe
3552	Hjfihc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Bobgoedj.dll	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Ohcepmcb.dll	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Ifegaglc.dll	Gfedle32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ffekegon.exe	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ehlaaddj.exe	Ebbidj32.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ehhgfdho.exe	Efikji32.exe
File created	C:\Windows\SysWOW64\Bofjdo32.dll	Ecdbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Daifnk32.exe	Dllmfd32.exe
File created	C:\Windows\SysWOW64\Ahgndd32.dll	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Ecdbdl32.exe	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Eoocmoao.exe	Elagacbk.exe
File created	C:\Windows\SysWOW64\Lghekack.dll	Fqohnp32.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Qngfmkdl.dll	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bademghm.dll	Ficgacna.exe
File opened for modification	C:\Windows\SysWOW64\Gqfooodg.exe	Gmkbnp32.exe
File opened for modification	C:\Windows\SysWOW64\Gpnhekgl.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Ebeejijj.exe	Eofinnkf.exe
File opened for modification	C:\Windows\SysWOW64\Ibmmhdhm.exe	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Akkfba32.dll	Dpjflb32.exe
File created	C:\Windows\SysWOW64\Eoodnhmi.dll	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Gmkbnp32.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Jplmmfmi.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7620	7504	WerFault.exe	305

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkdeek32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dllmfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcepmcb.dll"	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gimjhafg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2620	2512	61cbee13f0642e0573d6f9520d8fcb7bbebd9b88ad728e63f1227236578e8a79.exe	91
PID 2512 wrote to memory of 2620	2512	61cbee13f0642e0573d6f9520d8fcb7bbebd9b88ad728e63f1227236578e8a79.exe	91
PID 2512 wrote to memory of 2620	2512	61cbee13f0642e0573d6f9520d8fcb7bbebd9b88ad728e63f1227236578e8a79.exe	91
PID 2620 wrote to memory of 2968	2620	Djnaji32.exe	92
PID 2620 wrote to memory of 2968	2620	Djnaji32.exe	92
PID 2620 wrote to memory of 2968	2620	Djnaji32.exe	92
PID 2968 wrote to memory of 3436	2968	Dllmfd32.exe	93
PID 2968 wrote to memory of 3436	2968	Dllmfd32.exe	93
PID 2968 wrote to memory of 3436	2968	Dllmfd32.exe	93
PID 3436 wrote to memory of 536	3436	Daifnk32.exe	94
PID 3436 wrote to memory of 536	3436	Daifnk32.exe	94
PID 3436 wrote to memory of 536	3436	Daifnk32.exe	94
PID 536 wrote to memory of 4764	536	Dfdbojmq.exe	95
PID 536 wrote to memory of 4764	536	Dfdbojmq.exe	95
PID 536 wrote to memory of 4764	536	Dfdbojmq.exe	95
PID 4764 wrote to memory of 1580	4764	Dhcnke32.exe	96
PID 4764 wrote to memory of 1580	4764	Dhcnke32.exe	96
PID 4764 wrote to memory of 1580	4764	Dhcnke32.exe	96
PID 1580 wrote to memory of 5016	1580	Dpjflb32.exe	97
PID 1580 wrote to memory of 5016	1580	Dpjflb32.exe	97
PID 1580 wrote to memory of 5016	1580	Dpjflb32.exe	97
PID 5016 wrote to memory of 3944	5016	Dchbhn32.exe	98
PID 5016 wrote to memory of 3944	5016	Dchbhn32.exe	98
PID 5016 wrote to memory of 3944	5016	Dchbhn32.exe	98
PID 3944 wrote to memory of 4504	3944	Ejbkehcg.exe	99
PID 3944 wrote to memory of 4504	3944	Ejbkehcg.exe	99
PID 3944 wrote to memory of 4504	3944	Ejbkehcg.exe	99
PID 4504 wrote to memory of 4640	4504	Elagacbk.exe	100
PID 4504 wrote to memory of 4640	4504	Elagacbk.exe	100
PID 4504 wrote to memory of 4640	4504	Elagacbk.exe	100
PID 4640 wrote to memory of 2212	4640	Eoocmoao.exe	101
PID 4640 wrote to memory of 2212	4640	Eoocmoao.exe	101
PID 4640 wrote to memory of 2212	4640	Eoocmoao.exe	101
PID 2212 wrote to memory of 4980	2212	Efikji32.exe	102
PID 2212 wrote to memory of 4980	2212	Efikji32.exe	102
PID 2212 wrote to memory of 4980	2212	Efikji32.exe	102
PID 4980 wrote to memory of 1804	4980	Ehhgfdho.exe	103
PID 4980 wrote to memory of 1804	4980	Ehhgfdho.exe	103
PID 4980 wrote to memory of 1804	4980	Ehhgfdho.exe	103
PID 1804 wrote to memory of 4016	1804	Ecmlcmhe.exe	104
PID 1804 wrote to memory of 4016	1804	Ecmlcmhe.exe	104
PID 1804 wrote to memory of 4016	1804	Ecmlcmhe.exe	104
PID 4016 wrote to memory of 1040	4016	Eflhoigi.exe	105
PID 4016 wrote to memory of 1040	4016	Eflhoigi.exe	105
PID 4016 wrote to memory of 1040	4016	Eflhoigi.exe	105
PID 1040 wrote to memory of 3668	1040	Ejgdpg32.exe	106
PID 1040 wrote to memory of 3668	1040	Ejgdpg32.exe	106
PID 1040 wrote to memory of 3668	1040	Ejgdpg32.exe	106
PID 3668 wrote to memory of 4800	3668	Eleplc32.exe	107
PID 3668 wrote to memory of 4800	3668	Eleplc32.exe	107
PID 3668 wrote to memory of 4800	3668	Eleplc32.exe	107
PID 4800 wrote to memory of 1924	4800	Eodlho32.exe	108
PID 4800 wrote to memory of 1924	4800	Eodlho32.exe	108
PID 4800 wrote to memory of 1924	4800	Eodlho32.exe	108
PID 1924 wrote to memory of 1768	1924	Ebbidj32.exe	109
PID 1924 wrote to memory of 1768	1924	Ebbidj32.exe	109
PID 1924 wrote to memory of 1768	1924	Ebbidj32.exe	109
PID 1768 wrote to memory of 2108	1768	Ehlaaddj.exe	110
PID 1768 wrote to memory of 2108	1768	Ehlaaddj.exe	110
PID 1768 wrote to memory of 2108	1768	Ehlaaddj.exe	110
PID 2108 wrote to memory of 632	2108	Elhmablc.exe	111
PID 2108 wrote to memory of 632	2108	Elhmablc.exe	111
PID 2108 wrote to memory of 632	2108	Elhmablc.exe	111
PID 632 wrote to memory of 888	632	Eofinnkf.exe	113

C:\Users\Admin\AppData\Local\Temp\61cbee13f0642e0573d6f9520d8fcb7bbebd9b88ad728e63f1227236578e8a79.exe
"C:\Users\Admin\AppData\Local\Temp\61cbee13f0642e0573d6f9520d8fcb7bbebd9b88ad728e63f1227236578e8a79.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\Djnaji32.exe
  C:\Windows\system32\Djnaji32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\Dllmfd32.exe
    C:\Windows\system32\Dllmfd32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\Daifnk32.exe
      C:\Windows\system32\Daifnk32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3436
    - - C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:536
      - C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        24⤵
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        27⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2836
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        29⤵
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        30⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        38⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        39⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3768
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        45⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        52⤵
        Executes dropped EXE
        
        PID:4840
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3348
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        55⤵
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1444
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        57⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        58⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3216
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        61⤵
        Executes dropped EXE
        
        PID:4056
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        62⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        63⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        67⤵
        
        PID:432
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4792
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        69⤵
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        70⤵
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        71⤵
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        72⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:556
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        74⤵
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        75⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5020
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        77⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:836
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        79⤵
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        80⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        81⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4404
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        83⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        84⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        85⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        86⤵
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        87⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        88⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        89⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        90⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        91⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5604
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        95⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        97⤵
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        98⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        100⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        101⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        102⤵
        Drops file in System32 directory
        
        PID:5956
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        104⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        105⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        106⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        107⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        108⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        109⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        111⤵
        Modifies registry class
        
        PID:5428
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        113⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5676
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        116⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        117⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        119⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        120⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        121⤵
        Drops file in System32 directory
        
        PID:6128
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        122⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        123⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        124⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        126⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        128⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        129⤵
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        130⤵
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        131⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5500
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        134⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        135⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5968
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        138⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        141⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        143⤵
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        144⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        145⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        146⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6204
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        148⤵
        Modifies registry class
        
        PID:6244
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        150⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        151⤵
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        152⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6452
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6496
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        155⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        156⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        157⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        158⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6748
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6788
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6828
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6880
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        164⤵
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        165⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        166⤵
        Modifies registry class
        
        PID:6992
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        168⤵
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7124
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7160
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        171⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        173⤵
        Drops file in System32 directory
        
        PID:6324
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        174⤵
        Modifies registry class
        
        PID:6396
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        175⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        177⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        178⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6732
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6868
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        182⤵
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        183⤵
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        184⤵
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        185⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        186⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        187⤵
        Modifies registry class
        
        PID:6320
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        188⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6548
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        190⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        191⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        192⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        193⤵
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        194⤵
        Modifies registry class
        
        PID:7092
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5880
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        196⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        197⤵
        Drops file in System32 directory
        
        PID:6588
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        198⤵
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        199⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        200⤵
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        201⤵
        Drops file in System32 directory
        
        PID:6532
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        202⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6744
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        203⤵
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        204⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        205⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        206⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6300
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        207⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7176
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        208⤵
        Modifies registry class
        
        PID:7212
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        209⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        210⤵
        Drops file in System32 directory
        
        PID:7304
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        211⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        212⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        213⤵
        Modifies registry class
        
        PID:7424
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        214⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        215⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7504 -s 408
        216⤵
        Program crash
        
        PID:7620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7504 -ip 7504
1⤵
PID:7576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
143KB

MD5
b4eee112af09bfe0574b847cdc155bba

SHA1
3ecb522cc989865880d273fe31e1ce66c40ab437

SHA256
cfa73da6e8a996dadbfe10a434667c8049fef7e433352d13566f99750a1b4c4c

SHA512
0050641a71518151c561f969af7338da3c25fea9193cb44ef920217374a58da1a339752583e5556c49e4483949edd6a954efe3a2d56ef4fdfd7b051b0f3d0576

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
143KB

MD5
11a154b213c39df1615a5a954de9d2d2

SHA1
708a437080ae100b48b0a869b319998d57ba808b

SHA256
1e2785176bcfd97ad995333ced715ea1bf072dbdef7ce7bda43c32b7d3552cf3

SHA512
785d80216bf6a26cb4d89a9db32c63846f9ef3ef75f4aed36cf3eeae0c205bfe3068cc3a2db7b21c993d8667a17448add43f07c6d3fdf2334000b6bad6667a00

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
143KB

MD5
90e6c8a5951563bd02281c0ec783f71b

SHA1
21175fbe4338eefb511b4abdebb272057a6380ce

SHA256
7913a9a9a72afcb45f638d43df7dba1a33da7ed98d38d898a197c23e22341b8d

SHA512
ab703203a1da5e92cfc8ca3f56afa338c18d68bf8ea2b22aeb1d5fd6044446435268d3bdc55e2e31188432e108f76528a911f9cdfa7dfe19258e8e8e63c42d17

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
143KB

MD5
9696af5b0ec1e32709e7aee8ae09d33b

SHA1
676caf883745ceab6c5991d8cf057cbddc9c0f79

SHA256
f4c9c584b198acac53afd474859831aac8e314e85e5096ace26524c69849bf2b

SHA512
bc04ec8a63b516ca3ca80326f890311ecca653986f9a3f5fac7a3f7144aa39f381ade755bc0558f3c4bc555712de4baff20ee59e8b08c1aba9949b3441218496

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
143KB

MD5
3435a5164386f3267ebd0c7240ca789d

SHA1
1fd5d4a1a46233300324e6ccc2d4502ed8e6c03e

SHA256
3ac5ded1815bee708e674b2ebc078ff2a512106ca2922161776291858bc90199

SHA512
b8ac1070de507e42493a3eb1619275b9e7164e2ca6a2ce7988941ea9860be32d18e6ac759efb3e817acd5d1f0df68329ffea97e8886b765841e5375c9d723269

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
143KB

MD5
adfd5b316e906790889e20dbae170b02

SHA1
b8330747d3686e7b03c06fb7cf0d120ca8a331a9

SHA256
37264aee3165545c997c26c08200891cdf30b16241559261efa898889853e432

SHA512
163c5430dc2cf4ae8953875f1ae7b651f2f92bbdad86cbc2e7cce21524d88a262454df9a17fd9b16830567d62c8911f9a8502bdbf8daca0253a1dff53e271b66

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
143KB

MD5
db1d7191b65a66917697cb6a1ea4f6db

SHA1
3d24a9abe472b2158836121f09a6a25560545e42

SHA256
89d9efd3d2c8c199c13af7f9ecb87a0196a2ca7453759c8a5b99a7b1085e3817

SHA512
a74962ed1a38331cede1fe9fe82c7a4d5228d0fbc1b5bb591e059907a099bc7eb7bb796c4a4fc438fe500a9c9382a74a7d524afa11173a475b44fd3285b28f81

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
143KB

MD5
83b236265a498cc2cc84756b7409fac1

SHA1
423075e4913dab6224055d1b6d8dc3cd159cfc99

SHA256
c51e7fa1bae0b910667f3aa3433f79fe863f3c091dc9a960ab6f84cf236daa47

SHA512
8b9b78efd86d2af0394319969ab9139d67e3039769d58fb14094800668bf85f12d2262f912cf8a3655d6cd3f233b08c46ae0ec207745543b68ff6268e0fbd440

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
143KB

MD5
5ff52d5218b86dbfd3d71164922b4c61

SHA1
f4512ccd2966404178e56d1509027b657480c8eb

SHA256
2857254e4449053d37037dc4cbf7918c295b1637d7b6b9d3adfda1b1a5f5dd5a

SHA512
5d02c233abf3c2c4b14368a0de507ebd1d8dcfccedf78b014847501c1131f7dac53c6915adb97fec40ac2bc15630c8cf92be604d8d3ba709177afac948b538e2

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
143KB

MD5
bb3e35fcac34252e9354cfd553d0c238

SHA1
6b6f6bb09ae0e8740e1ee1c54e10bf82899f910d

SHA256
9484c8a688d14c99d9d11df54228235729d6f6e0e2670eb5a263832056f8542a

SHA512
a36c49e2b3f24c5755711ead51d75c00a2d51a2c79245adf7d4130b9762130c4ce3411d6b72b5563f233abf258b8eef5903532b80a54586df4727e5009e0c161

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
143KB

MD5
42288a7a55a08aaa988b1ea45a3d8e0e

SHA1
2e3114b5d1655138fcc0ecbb2077edc5b1d07ebb

SHA256
56f8f994805c1c141b6cac75d13de1fafa1f20da065ba526cfaddc4d213e882a

SHA512
56bf3f245ce4d719ee016f83745bc3988cb6fe5a2f4cc24054c4349b5a3c3c9d0848cda23b649011ee15210657d86f0a4b652cbc13ea1fc5cef8343517f7a93f

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
143KB

MD5
cb1b1eb95258bb9466f13bdd8caa3f9b

SHA1
3823959d5fe8aba9451c9c37c3d62431051254aa

SHA256
27ebe482671e4b1ad332994ba1f8447e363381ef52a129f588ff0c0701731c57

SHA512
53a5a6a1084bc172e822a06d58c132ccba8b35cb18a6446828a4ee727e02766411c404f54d115dbf32c855dd5193c232bb0783855d44419ee4e41547186f4009

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
143KB

MD5
c44656fc2629b26e2cb73ac7173ef7b4

SHA1
9bac26b6347daaffb6246e97bedd862a0c1a7a02

SHA256
2b99214012eebea560c383fe4cbeed4219314ccf8cda9f045228cc7c6c9e8ddc

SHA512
ff5753a4e4f7badd5add961d0e3f394f2e06d4d95076b14ef9603801727164f7cdc246c2f7e79c680c9dfcc4173217a78aeb6c671c80db41c58e675d2b88451a

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
143KB

MD5
30bc1560feb502c75988acec49692fcb

SHA1
0eac2ba760b3fca946d0ce7b63425e11cf48271b

SHA256
f7bb1e22ec3553cd42fd106176831835aaf83e592e1ca3917912f9439e28f7d4

SHA512
9a80f0f7a00306a72406dd122bc9401d374cbc62d5fd96dd169c607b8e4186c4b657bc336ae785822a6b8edaf3187e31876c409d6f52869ac9af2ea8cc96a4b7

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
143KB

MD5
2607aa2d2e01ea4765d82ed274f4c214

SHA1
a0b5f3154679cfb5e447abd521b7e26834cca721

SHA256
8a0b6efec77eb967258bd98f6c7305b47baa37eac21042e7f58329c2805bdcec

SHA512
8b377556a5b57d2a1037836e51f57fded765175cf78a2f670176a9567522f190ca7a05bd79aead3b54371478b8732bd611787a3e507f3a519fc9bd0e8e3f0a66

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
143KB

MD5
399b6925ff7f8749757428b52b2242d9

SHA1
bd376c3a3c76e9133652ecd8bd0c4705f6bd6688

SHA256
a26453b490b7fbe0d86c585e2125140c95466bd13e7e0bd5d0f4b22f8bb320bc

SHA512
d077ef7347fee5b59d9b284475f84b07035d69ee51bd8f561dd7288c1c74165d3d3871cb092d8412f334e25566ab76f248d7a2dbd69b2285c5b99dd4e53f4990

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
143KB

MD5
d8e09d0f16eee89cf4975bdcc45d657b

SHA1
bf9630c5132bde42d345262d03832c359babf451

SHA256
e3efe22f44a15ce4f4b59a052a66d3ced102dc24153514b55e353f715527ad78

SHA512
65a4f3e952e08c927d9779ac03ec9856070caa795589a8ca0259cb52d7ecd9f00f101c82297ec2ca9a6dfb5dce3fcdbb22f37b61580ed79f7745c0e69d056eef

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
143KB

MD5
d16a269ce116393da2db5731fd7deba2

SHA1
6b6365ccc0fa89e1d70b8fcb85987f917d6055b5

SHA256
6f304ed5938317f926c64085960f89c61a5d53b76c8f56d0ea1cd980e276fe90

SHA512
51743464452926fd7d254a06964aac25a61d258d7b47752f17d7eaa599eef2f35b8261cc56a935a4edb6646f25e4bc5e49f3a8631be137f07a9e080c28d489a3

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
143KB

MD5
660959877686ff31d9fd195f5d39b617

SHA1
8b25c8ef201718743ec7df088f1f22a6c33e658d

SHA256
e1432285eee3feba3a01ef26a2eb9f20d2c19ac06ae42f491b3b088c58a565d9

SHA512
d79eda280a5215c25e4b132d1737b377d14072c27acb89f5132b5607587f28e7c46e1badcebd720f5c8813541dcf9d97d734e8b2463a8d9db0b746cc6ecec4da

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
143KB

MD5
80e9021bfcb571b2e65f71cd184ef27c

SHA1
ca4d2e52880b00aa0ff4d7e9f93de811ec70c9af

SHA256
2ab1d715a51f71f8c23e61ae3761fd8862681aba552e562bcd2c957ed59eb7a7

SHA512
f2eff219e52d4b94b21481b77dd3032f3b60f2f163ba53b2d26f7134faa933a94bae679de1dd2efb885c718b29833e697dc9d598391e2d8fd5db686b5d005bb1

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
143KB

MD5
696fc3ae7626f38519f0cb10cd726ffb

SHA1
36e99f589cd51f8d451a7b5e0d2f7c82053ee58c

SHA256
054a8bab15abe9c3c70bfca0e54c3befed00ba83c6ce81224ed6bbe6b216d61e

SHA512
3191999b3c79f632a4fc804382643844545a4e5df6d5c5bfc0cca22d302cd80db57091678d7de07ca5813ef8b650d2c0404ea4b369ba44bd77b544ec44d5a00e

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
143KB

MD5
05f22fb1f69dacb8e9582f63d3f2f99e

SHA1
abb2a9dcf56c38dc74ddd6e8197c88d6bd831dcc

SHA256
47e52cc78a98a1cfe2b06b51a0def10073343335a88b2011b8c37d28b28d5e00

SHA512
15de0da23c151efdaadb8b46781c26750fb1504dcebd24313fae14c26675b357e6647b247be7d48d587d5fec31b6c21fed1805ada6f32d2df8740ae6c4144844

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
143KB

MD5
15ba99478ac2958e8260735160873f78

SHA1
f37a301cdc9ea4474beced68b5e4aa7ce78527c5

SHA256
63d9bc0193355769a3f1d72116a342c58dd5e5888ece181d89a4a7be29f73a85

SHA512
dded18e212d3ee721466c205b26bf3f2bc6ac693f81f1d0a48fd27e3b185d93986534d809208774dcbb45aae3ecc9c91f22a2864ce6c22950bfdb3b895853d74

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
143KB

MD5
40bfaf4affc085e86fe10cccad83bd49

SHA1
4837b77084dd30a8d62718cda21cc2be5cb63180

SHA256
e9425f73386661d6cf9f2a878955f84420f74c5cfa6523feaf207f86f273674d

SHA512
de187d5ecf32d329fa0d4a312423875fff4d60a25185a86f1265315a3422056bf8f0f4dd4f67bdc71deb61752aff4bb182abc938ed3b3e7862e5dd2f0aa7a727

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
143KB

MD5
ff674b315f5ab98daf09b698cf7572c7

SHA1
6ba73287b4d7d9ecfa264880b4e35c4aa2fcecda

SHA256
893dab57063f2bae018b9c714e5fff8587d0f2de8ce9bbbe3512ad29f0617ed0

SHA512
a90927a23fc1af28cd98ef6e2927016f1a5debb54e63d1af0721c227a2697c135cad2732872ff7ba339635810faa5b045c3e14602adf63b68d82a7741fda3dfb

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
143KB

MD5
ac2f7c6f598cbebee8f6c631b77bc65c

SHA1
c675741b615f6b8639174252c084c9c9ff92ee3d

SHA256
cb3bc1ddf96f95d9ea62650b1281d4927b0489cc5cdf317eaac71d9f13118cfa

SHA512
f24fc9b89e5739ab89ed1bc21688040eb55b630fd5dd5e80f412eb07892af64a283db3f0267001d014e00f44a67d40f47a006e359bd677648f486f7b51c65d82

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
143KB

MD5
0d7b4fec884d81dceb411bb7679004dd

SHA1
a8785ccffd69cfe659d999da14ea50c71fe29ff2

SHA256
06d0fb22e95b86a78895dfdb2ebae1cd93b9dc4fc56b5cb0900f101be7690024

SHA512
ac751876eb83f2bb0e4a480cc8c0323bd10f5639ed19047f4e39e59572a0d331f00266e10ad0884f3ed520734ef7575b3e1a38fbedc077cc8014d35f9317a8fc

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
143KB

MD5
9784646cd88ce81d145c2c1ed7c53ae0

SHA1
1a805108be966f25d86808cf33668eadf85ec0b0

SHA256
d00e1c3b23addd60d177754ca4f2632aedce50bf1b639bd9a622b2c6cfcf7ee0

SHA512
8f5557ee590d6d1dce8836bf83af34f1dadf6ad320896bceb98a8d62d4c0cd825a46ec6e1cfad9fd1e9d65953a9aaca179d54c01ba50f6de2d75efd37b5223d6

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
143KB

MD5
72d8c616ca73f6e95d41403301d1b188

SHA1
c31bb9341c3ecfbc4e2d8bde2573d45ed6dfb043

SHA256
ea01e1eaa38cfc34ad32a7973756a7ba9d408a9c9d5f03f1568d890c10e5f8fe

SHA512
28a8372fcca9c644cf86b3c591533d972c77e2576f12806a154b06d2327db835efd522797aca09e2d8841727a6d7ed3d5c5f4e52035030bc1eed6ef324ea27ef

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
143KB

MD5
902dd7c140fd0778b97b25d53672fb3b

SHA1
fa8c6d1910d742a0a342d4bbda2da08cc0eca7bf

SHA256
08bd7afbb67b292130e7e2b7056c0020e15a424e425323ec89863100f54b8642

SHA512
36cedd51a2caff781cc9d1eea11b45f40c62d5ffc547cd151879e925a56c3ab61a64d75232265b2c7035a4ba7e59b2d0375a36ede91821debe911e437eafdf69

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
143KB

MD5
e720ab0393dd567afda2c344f5e0c9d8

SHA1
d2ff40581f30b5909dc0d1f55ca651834893b468

SHA256
f4b7369505ee9da5014363285c3511e0c31896e3c7b536d745d936051745ced8

SHA512
c16695226214bcf112f98367da1d1e1927b48c0bae74034260cff5388484f94dd56a8f29028c6f2d75f50ba6a0853e78c566ef186a7ac1f8db2dde7ffd280dea

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
143KB

MD5
cdb03b5463518399ae37008a0a5938fa

SHA1
f3774cf0e52d0de94448f08f4c920d5dfdd44f86

SHA256
6b2edc51da2b4d2d9fc896b4767c0c1b823a04d2525f9431076594b361beb773

SHA512
cbca5168abbfb9d9ad04085844911984a720e92baf4bce617bb8a55a9f3f076639ad62277b5b3afafdc9bd327e599b72489d6d138f38b99c0bb74be8ee0d2b68

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
143KB

MD5
0183b8256714719353fd1d9f50432f78

SHA1
61698929069b5f1594c7ee4c67430cff3933d88a

SHA256
ed45bfe28b9b955787334eebb21089f9bc31e480e1efd1ec28320c237ecee8a2

SHA512
520d637e9aaff4668510ed558948c2ac38e802988fba67deba40d99f52cd6c39e187b90dba8d4d647c6af6305f94dbf51b64ee135f5f60b02ee9d3504d54eac6

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
143KB

MD5
2c643ec43e402bc1c258f6506930a5c2

SHA1
8fa5024446a354089155442393c48d11456470eb

SHA256
56becc4bdee3ed777627516920e0d4efc3f2f300297b5d1df4304c2cfe7307bc

SHA512
4b71e950dea72141aa7c65f80311a4ab732ee4401ba24d1042ee40f31825a15b64908a53df974fbfe1bac68998f7557ab99777f19d8a97aac180249279e30edb

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
143KB

MD5
a05b58eecdac5de7d4234295518515ef

SHA1
cbf44628eaf3da07d944f15f7ea9cbc512727fb5

SHA256
ba35d91d3eae842b297562917eaa3ad42bbbcae3f3279e51df9a02edd9973a20

SHA512
2c1abfdfa2811c272fd55eab46e83d7befe9afa223372bbb5e23751d03903581ba036e2b0526f567909f229666195cdaa43917d13346b0628703fe37fd2de83a

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
143KB

MD5
596da6c4060fa93b54d583c2d5fced96

SHA1
65370ab96d7c5f65c5ef7edcde4cdadd079e2741

SHA256
fbe1729ba2b97d4d0b262b51845b5aa7f2f5b46d96356325f485ced7d9f36e3a

SHA512
05c7fdc8f78e6e860514bedb2a5b5b82928f67960c7e32e363644812443f8ddfda144f02cb45da7e66ae187a597e05eede061b7250a55b709eb602262eb886da

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
143KB

MD5
c76a196be210b59f33f6bbcb2e5741ed

SHA1
1493c76482bb260eac0d87e3fd94085b1b88b7b8

SHA256
09e0e978fdea030169e00b8d633d3f3367aa313324aec79ac3ec7c0c3d1d8741

SHA512
ad8f27540f54e1f71f8161a08cd168b4fe7581537429e957f4e2ba89ce131e09a945f27539832f5be4f8cc5b3d3ac9af6c435052fbd860bbc6ae785c9c156516

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
143KB

MD5
e3e8d2155a0a6f495178b8de5331bee7

SHA1
52cb6f3b32027d2dcdd7134ca5e47cea980e3cf1

SHA256
766cf5d645e1c565c3e8b9f19d68143976e94c25d72d61f7361f5f41125a0578

SHA512
328074d3e50f86aade791372041d8bc67d31b88eaee8a3958997364a69cd14dfa5595033c75fa5a1e7dd5aa1fb82f65b430fd17bb0ec9b015d3b79023918cabe

Download Submit
memory/536-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/632-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/888-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/916-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1000-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1040-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1348-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1396-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1444-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1728-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1764-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1768-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1796-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1804-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1844-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2108-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2212-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2512-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2620-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-399-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3348-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3396-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3436-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3516-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3612-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3704-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3716-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3768-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4056-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4272-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4448-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4504-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4640-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-140-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4840-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads