d2ebe6956f9ef8592467cfd64a76b08090ba42d34b5f424727314792ecc9b644

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2ebe6956f9ef8592467cfd64a76b08090ba42d34b5f424727314792ecc9b644.exe
Size

156KB
MD5

0c2e6c67f6c9e41a1f66e698444eec38
SHA1

6565f753a3f0c0995fd1b91cb649208964ab1c18
SHA256

d2ebe6956f9ef8592467cfd64a76b08090ba42d34b5f424727314792ecc9b644
SHA512

7b49d0b76d989461509012fb8279870c10eea5510637b60bcf4c3f8655a5b8de5adfb5f6f0e62752b802d153a8d51b03449a61728ca30cf19692164d8cd872a1
SSDEEP

3072:h+bzXMntV0erJ9IDlRxyhTbhgu+tAcrbFAJc+RsUiM:hL0ersDshsrtMsC

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fobiilai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d2ebe6956f9ef8592467cfd64a76b08090ba42d34b5f424727314792ecc9b644.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d2ebe6956f9ef8592467cfd64a76b08090ba42d34b5f424727314792ecc9b644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdbojmq.exe

Executes dropped EXE 64 IoCs

pid	Process
4652	Dfdbojmq.exe
4704	Dpjflb32.exe
3500	Dchbhn32.exe
436	Ejbkehcg.exe
3920	Elagacbk.exe
2008	Epmcab32.exe
3952	Eckonn32.exe
3016	Efikji32.exe
3860	Ejegjh32.exe
2192	Elccfc32.exe
632	Epopgbia.exe
3260	Eoapbo32.exe
4012	Ebploj32.exe
1760	Eflhoigi.exe
4016	Ejgdpg32.exe
1512	Eleplc32.exe
1856	Eqalmafo.exe
660	Eodlho32.exe
2360	Ebbidj32.exe
4276	Efneehef.exe
520	Ejjqeg32.exe
3168	Elhmablc.exe
4100	Eqciba32.exe
560	Eofinnkf.exe
4228	Ecbenm32.exe
4384	Emjjgbjp.exe
4252	Ffbnph32.exe
416	Fhajlc32.exe
4536	Fmmfmbhn.exe
4784	Fbioei32.exe
3852	Ficgacna.exe
4328	Fmapha32.exe
3948	Fopldmcl.exe
4980	Ffjdqg32.exe
1608	Fihqmb32.exe
1088	Fmclmabe.exe
4552	Fobiilai.exe
1004	Fbqefhpm.exe
1488	Fflaff32.exe
2120	Fijmbb32.exe
3576	Fqaeco32.exe
2576	Gcpapkgp.exe
1140	Gjjjle32.exe
4916	Gqdbiofi.exe
1644	Gcbnejem.exe
868	Gbenqg32.exe
4932	Gjlfbd32.exe
5012	Gmkbnp32.exe
4716	Goiojk32.exe
4348	Gbgkfg32.exe
5108	Gjocgdkg.exe
5104	Gmmocpjk.exe
4564	Gqikdn32.exe
4912	Gcggpj32.exe
4116	Gfedle32.exe
2372	Gqkhjn32.exe
212	Gcidfi32.exe
2712	Gbldaffp.exe
2524	Gifmnpnl.exe
2740	Gppekj32.exe
1300	Hihicplj.exe
2828	Hapaemll.exe
3400	Hcnnaikp.exe
3020	Hfljmdjc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ogaodjbe.dll	Fhajlc32.exe
File created	C:\Windows\SysWOW64\Iblilb32.dll	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Fflaff32.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Gcggpj32.exe	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Aiagblgj.dll	Dchbhn32.exe
File created	C:\Windows\SysWOW64\Gbjgbh32.dll	Eqalmafo.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Fobiilai.exe	Fmclmabe.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Kibpam32.dll	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Gbgkfg32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Eflhoigi.exe	Ebploj32.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gbldaffp.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Eqalmafo.exe	Eleplc32.exe
File created	C:\Windows\SysWOW64\Fibgnfha.dll	Fmmfmbhn.exe
File opened for modification	C:\Windows\SysWOW64\Fmclmabe.exe	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Hakfehok.dll	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7008	6496	WerFault.exe	280

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekdppan.dll"	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d2ebe6956f9ef8592467cfd64a76b08090ba42d34b5f424727314792ecc9b644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobgoedj.dll"	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll"	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkklocjg.dll"	Epmcab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphbondi.dll"	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjflb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncfca32.dll"	Fflaff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbenqg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 4652	4904	d2ebe6956f9ef8592467cfd64a76b08090ba42d34b5f424727314792ecc9b644.exe	87
PID 4904 wrote to memory of 4652	4904	d2ebe6956f9ef8592467cfd64a76b08090ba42d34b5f424727314792ecc9b644.exe	87
PID 4904 wrote to memory of 4652	4904	d2ebe6956f9ef8592467cfd64a76b08090ba42d34b5f424727314792ecc9b644.exe	87
PID 4652 wrote to memory of 4704	4652	Dfdbojmq.exe	88
PID 4652 wrote to memory of 4704	4652	Dfdbojmq.exe	88
PID 4652 wrote to memory of 4704	4652	Dfdbojmq.exe	88
PID 4704 wrote to memory of 3500	4704	Dpjflb32.exe	89
PID 4704 wrote to memory of 3500	4704	Dpjflb32.exe	89
PID 4704 wrote to memory of 3500	4704	Dpjflb32.exe	89
PID 3500 wrote to memory of 436	3500	Dchbhn32.exe	90
PID 3500 wrote to memory of 436	3500	Dchbhn32.exe	90
PID 3500 wrote to memory of 436	3500	Dchbhn32.exe	90
PID 436 wrote to memory of 3920	436	Ejbkehcg.exe	91
PID 436 wrote to memory of 3920	436	Ejbkehcg.exe	91
PID 436 wrote to memory of 3920	436	Ejbkehcg.exe	91
PID 3920 wrote to memory of 2008	3920	Elagacbk.exe	92
PID 3920 wrote to memory of 2008	3920	Elagacbk.exe	92
PID 3920 wrote to memory of 2008	3920	Elagacbk.exe	92
PID 2008 wrote to memory of 3952	2008	Epmcab32.exe	93
PID 2008 wrote to memory of 3952	2008	Epmcab32.exe	93
PID 2008 wrote to memory of 3952	2008	Epmcab32.exe	93
PID 3952 wrote to memory of 3016	3952	Eckonn32.exe	94
PID 3952 wrote to memory of 3016	3952	Eckonn32.exe	94
PID 3952 wrote to memory of 3016	3952	Eckonn32.exe	94
PID 3016 wrote to memory of 3860	3016	Efikji32.exe	95
PID 3016 wrote to memory of 3860	3016	Efikji32.exe	95
PID 3016 wrote to memory of 3860	3016	Efikji32.exe	95
PID 3860 wrote to memory of 2192	3860	Ejegjh32.exe	96
PID 3860 wrote to memory of 2192	3860	Ejegjh32.exe	96
PID 3860 wrote to memory of 2192	3860	Ejegjh32.exe	96
PID 2192 wrote to memory of 632	2192	Elccfc32.exe	97
PID 2192 wrote to memory of 632	2192	Elccfc32.exe	97
PID 2192 wrote to memory of 632	2192	Elccfc32.exe	97
PID 632 wrote to memory of 3260	632	Epopgbia.exe	98
PID 632 wrote to memory of 3260	632	Epopgbia.exe	98
PID 632 wrote to memory of 3260	632	Epopgbia.exe	98
PID 3260 wrote to memory of 4012	3260	Eoapbo32.exe	99
PID 3260 wrote to memory of 4012	3260	Eoapbo32.exe	99
PID 3260 wrote to memory of 4012	3260	Eoapbo32.exe	99
PID 4012 wrote to memory of 1760	4012	Ebploj32.exe	100
PID 4012 wrote to memory of 1760	4012	Ebploj32.exe	100
PID 4012 wrote to memory of 1760	4012	Ebploj32.exe	100
PID 1760 wrote to memory of 4016	1760	Eflhoigi.exe	101
PID 1760 wrote to memory of 4016	1760	Eflhoigi.exe	101
PID 1760 wrote to memory of 4016	1760	Eflhoigi.exe	101
PID 4016 wrote to memory of 1512	4016	Ejgdpg32.exe	102
PID 4016 wrote to memory of 1512	4016	Ejgdpg32.exe	102
PID 4016 wrote to memory of 1512	4016	Ejgdpg32.exe	102
PID 1512 wrote to memory of 1856	1512	Eleplc32.exe	103
PID 1512 wrote to memory of 1856	1512	Eleplc32.exe	103
PID 1512 wrote to memory of 1856	1512	Eleplc32.exe	103
PID 1856 wrote to memory of 660	1856	Eqalmafo.exe	104
PID 1856 wrote to memory of 660	1856	Eqalmafo.exe	104
PID 1856 wrote to memory of 660	1856	Eqalmafo.exe	104
PID 660 wrote to memory of 2360	660	Eodlho32.exe	105
PID 660 wrote to memory of 2360	660	Eodlho32.exe	105
PID 660 wrote to memory of 2360	660	Eodlho32.exe	105
PID 2360 wrote to memory of 4276	2360	Ebbidj32.exe	106
PID 2360 wrote to memory of 4276	2360	Ebbidj32.exe	106
PID 2360 wrote to memory of 4276	2360	Ebbidj32.exe	106
PID 4276 wrote to memory of 520	4276	Efneehef.exe	107
PID 4276 wrote to memory of 520	4276	Efneehef.exe	107
PID 4276 wrote to memory of 520	4276	Efneehef.exe	107
PID 520 wrote to memory of 3168	520	Ejjqeg32.exe	108

C:\Users\Admin\AppData\Local\Temp\d2ebe6956f9ef8592467cfd64a76b08090ba42d34b5f424727314792ecc9b644.exe
"C:\Users\Admin\AppData\Local\Temp\d2ebe6956f9ef8592467cfd64a76b08090ba42d34b5f424727314792ecc9b644.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\SysWOW64\Dfdbojmq.exe
  C:\Windows\system32\Dfdbojmq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\SysWOW64\Dpjflb32.exe
    C:\Windows\system32\Dpjflb32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\SysWOW64\Dchbhn32.exe
      C:\Windows\system32\Dchbhn32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3500
    - - C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
      - C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        24⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:560
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        26⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:416
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        31⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3852
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        33⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        42⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        44⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        45⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4912
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        56⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        57⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        58⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        60⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        61⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1300
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        63⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        64⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        66⤵
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        68⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4648
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:752
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        72⤵
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        73⤵
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        74⤵
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        76⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        79⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        80⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        81⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        82⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        83⤵
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        84⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        85⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        86⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        87⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        88⤵
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        90⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        92⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        93⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        94⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        95⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        98⤵
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        99⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        100⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        104⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        107⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        108⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        109⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        111⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        113⤵
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        114⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        115⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        116⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5576
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        120⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5728
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        123⤵
        Modifies registry class
        
        PID:5876
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        125⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        128⤵
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        130⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        132⤵
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        133⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        134⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6056
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4936
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        137⤵
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        138⤵
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        141⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        142⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        143⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6024
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        148⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        149⤵
        Modifies registry class
        
        PID:6236
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        150⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6316
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6352
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        153⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        155⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        156⤵
        Modifies registry class
        
        PID:6524
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        157⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6608
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        159⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        160⤵
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        161⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        162⤵
        Drops file in System32 directory
        
        PID:6784
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        163⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        164⤵
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        165⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6952
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6992
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7036
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        169⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        170⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        172⤵
        Modifies registry class
        
        PID:6172
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        173⤵
        Modifies registry class
        
        PID:6260
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        175⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        176⤵
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        177⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6532
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        178⤵
        Drops file in System32 directory
        
        PID:6592
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6664
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        180⤵
        Drops file in System32 directory
        
        PID:6728
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        181⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        182⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        183⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        184⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7076
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        186⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        187⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        188⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        189⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 400
        190⤵
        Program crash
        
        PID:7008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6496 -ip 6496
1⤵
PID:6820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
156KB

MD5
66898bf713fe4d178aebcdf6fbaa5d86

SHA1
4f10e1fe74e10998a071b20efb2d0b45cac073a2

SHA256
63c6f2ece942cb235a11c0fd3578379c9de2fa918e49c67b0298e3f6fd120882

SHA512
bc4db6ea3d9c839224c215dca1ddd4357f98c8804b32eedf9e6513fb98e45cc9508cd268dad025939fa85a217df3089761933bb04a355f53ccc33f2b775efa14

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
156KB

MD5
21de8e134826de702c05d7b348d23f73

SHA1
7ae5b58d7eb8fc1b41dfae0a94c01d3f1a428695

SHA256
036391d6269b799584b765c5dd1868b79614d7d14dc124502eddd10045af6199

SHA512
beea09407ae2ce6c6a9acfc644c0e6c856b8affb8bce3b7f78a6fa8c2295235708ec214dcdc24271c7c9a492bcec8d4632f1c099912bdf4049ae0926c92bb556

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
156KB

MD5
b5418d90c2b7ec9d420caa694f42784c

SHA1
dd70217b87fdb86b69b42773f3bd25e9388a6fa8

SHA256
936b693116699f85b106040c603937ca06fe8973e076cb35e38694a2c460c968

SHA512
bb213d5ec37f826b297958343a5dc48d1b2aa0c8249d8cfcd1476f7efa0f3632175d9df88a060ab560530c54e8b31c16a4f397583ccc9059e3737e34c698704f

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
156KB

MD5
8114da9589f3750856b60cc28e568b43

SHA1
3c44ea4d8037bbcb489a1c33bbd3db65b402eafc

SHA256
c1fbab4166091c404f10c23207e9ff0354f4af160d1f88800c3c2337b2ff4493

SHA512
9d9515a9c3837e1deecdb0848e08127fb0b9dddd987c86c7888a533966b360f0c1b9d67f072e9dd2f48324ea561903786955c705e9138066126c5ba5f4cfefc3

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
156KB

MD5
7e3b555b5cda9e2bbe142265a4ea4840

SHA1
f8f5713d1ce989842922e80e5ddf1fca6ece7476

SHA256
75825bc4991ee73a725f4eacecfd46547b34c49841ad8cec735dc6564713c3b2

SHA512
be7b1677bd6ea70eb27318f0929934b9698129db878f395ce3e0b394473dac2e69ff34eb7f71746ff125305b656afc54964d9a57240d942b89883dae53b80485

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
156KB

MD5
2c5440c4d1bb228d85b93e827a1089b0

SHA1
b2fd1733eda965759378a7025832e21ecd0e27d5

SHA256
948f6e33a98ad80fbbf7b266ada4800a1e283cc9b7e39256031b450ae4e3fb83

SHA512
fb0c973bb9cd246844914c0803eb9276e09f42372f1d07649acfd7f98aef14bcd3db8c01b4be357599423429ecc0385bc42920d23c17f8eb369876214807321e

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
156KB

MD5
c4d490a6079f6ba9119845cf76dafbb2

SHA1
6705441ee4eb882ec55e03e6901479a69bcd1aff

SHA256
47e7978c8a4d16540fbab3adc55d0def4915cf8b6e5f7dbd91f8b7ba9a1a67b4

SHA512
6cecfd96aa0838a1ba5c37a07967251c193a9c4a03222cf3f0486c76c1d4cff61fd6a0f5269964844b54448586cd0a796f60c45fa44680a9201262d0a3981892

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
156KB

MD5
7aa2c37c705cac6645f010916426db8e

SHA1
19107416c18cabd800821074904675c406816aad

SHA256
e18a9245ce38143ab3b4392659f664da412c46f9eb97f0c9fc952f5283f14517

SHA512
9708b65f079a7e36a71a6c9b54998ae341d1313fcd8403091fc0b954681e6152f6d3c7dfc64bce77f24852e18dc7cde31820bd4d453f6234ef46821128a22cf8

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
156KB

MD5
0033567b0e3fb2b8dae28f9a29d06c27

SHA1
c4d6f773d570021ded7c8c0a4dee60ea1f990ea8

SHA256
6792f91e6a5d7e5257c161aa6d008391f0517508bee7dc627a79baf5b87678bc

SHA512
84aca2fbc470fdda8a4d2befc9853b7b162454f129010973c11bcd6a590b3effd581c6b4f04ee3267e86f5529b54f6315f5ba9a9383e848186778de7d5bf2571

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
156KB

MD5
5447528686a05fe8a68de8c6c0d6c64a

SHA1
5232a616f1c7b080946c787f91bba42252c28e7b

SHA256
8706ce55c50615e900e58fb42c9ac0a68ea32c8bd9dbdab098144b7a0521c439

SHA512
4d0a085f8674fa14af2772c7c95bbf1721ced2b7904313a6f78d2ac691d7f1dd84d3e53cb71e36a551f893a70a47fe2618c0cd5409d93e94c2ba65d494c356e1

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
156KB

MD5
c39869b38717d55e42ea055d9114738a

SHA1
fb62d6e3a8da92057e50eab355a153dc30357243

SHA256
9c101784144b24b1df0855afa7662110d775d21d7b05a7ebd33547bfb10e60ec

SHA512
b8ca57c457c269dda8d686aa8d4e18fe6be7cf70511632825ee5667dd1786e1df6b75169b75fd79ab7c5cb4a8d9f36518f737e6e0f53b0ae359cf0b9e2d17106

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
156KB

MD5
8abc0082ac61e221faf637126f5f9752

SHA1
9be4f3c28bb33e602f0121279c82f97f1bd48b09

SHA256
fb6629117f4f34bbca974e17cd69ae02ca18584933d0fa4803d243b2f244bb05

SHA512
104e1de9ac676a4401e9e07cd20ddeed7ed5354d6d90174f4cde1018e3bb1c4ba26e165ba3e081853587139006fa948238cc686a455f0a4d08dec822d7975a28

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
156KB

MD5
de1994da2adac0249e68c31bc950bd74

SHA1
e38a3c4725050e835758481c98460ef7ac241882

SHA256
49de1799544291c6f37a3d4b2be40a8116a80922fbdc0d2900d5f858a973b2fe

SHA512
202ab894813018fa654947e5c9e1049873349ce4ac3115296f77edef1a08dd04d1cf500bb97dfc2104ad6e5f24b745c087f61b6cbed3bd7e2b4b2e9db4a2ebde

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
156KB

MD5
ee5acfe064cd34ddef8b32a0d26e9607

SHA1
ac866d9f75234dbd6a8a7d36850f65214f986d33

SHA256
6b2fb929ee2032b99c165d09b879e20cb72c5413984be264477a8b7518e70f5b

SHA512
9cce7cd66039ecd64c2ec8fb7b45093b10d99626227936f7a62565e6ef1aafc7774e3efa4ef4233bc53528b6946d6c8cc692470439d7f2cea99961471a517041

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
156KB

MD5
4d52d51cf83915000dc5f4a67f6ce7cc

SHA1
6bcadc28e204403f53b362cab6453dc70e0337b7

SHA256
890e18e740b4119e970743363c7bd70a8273396a9161f67b217d6ff147478590

SHA512
683d954cfcb81f7dc78e3469e67927257eb722a085cfdd6d3cf264b771bef3a52dad7386e3fc584d82bf830dcee0548563ef2c3664cf39e9195c6b2d0902ce99

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
156KB

MD5
71c76795e5da32a4d372faed483ddaaf

SHA1
3813d3d25c7485e0a80a2cc4b069d723eb042b58

SHA256
e69a23fa7756a16d0d5808af476a7c641b95f0c2d699157a9f2547dd42cf9b4d

SHA512
f2ae591fb55572843c764dabd71909b9fbe2eee6670ac8b05ae2c6bc76b887f48d76fcbc14d0e2c8734446f2e5a08a801d3c1b4bf2120cde70aa3d2252dde47a

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
156KB

MD5
387fce0bdc35db158434fab4237f0a18

SHA1
b845aa7fe3a1acfc04c5d9dd16d910fe838a9e90

SHA256
f24d2d16ecd88e066d2955eb22604a4236acae67dc75b99e564e7ced8ecf41f4

SHA512
c3ae91d167ad90c57a9afce3a824bf252c680af1e7ffd905a26281bb89d331066a64e6c9b51aeba3b052706be40bacb194f474a468a3511eeca0e1f3fc1d8202

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
156KB

MD5
89537541f7c3c600b1986b05e9ded961

SHA1
ebcd47c2ad794a39847fbf2aa57fcedbe8a8b3a0

SHA256
e25db1eab619078b736acdd487e55cc1ac309c71b1728c553465976366d7a4e7

SHA512
8325481d3a596b00beed07895864e145d780627648282c00b44d53014500bac79d5c309613b5ae6c23b97781bc73b6d0a34df39f2889aa4152fb2153914113b6

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
156KB

MD5
7bea26a42ee88fd466a361c4a6630a8d

SHA1
1ab7dfa5cbcee9aaf94ae611d6efe4e1ddf20969

SHA256
e442d82ae84d91c515011a2641b8afb0fc217ec8612575e2415af27573caf056

SHA512
16d3c1c8e7a4ce5f858a4297a283971886f6b68ca82e208e6a967fe9bb4cee2e69d5604733e0cfc70d7970f0e064996c2df12d0ee1ea5d550a39e9a7e4fc208f

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
156KB

MD5
6a38fc30cdba9a866e4816972e755db6

SHA1
70c1e7a2c3c4e77f25c29b7b057be74c40aa26d1

SHA256
63dce17716a2e1837a7915e203aaa99c036e37e34217cfd3a546537264e25cb2

SHA512
fc1270cda431fb01eea845a7fa1dece659021f5e4ad509333bd1eaf7777a92311079c332a42944baef82995b4145d20387f0b4f9ab7010a9b09e96a3dbc71de9

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
156KB

MD5
202825605fc924a3372d710c35801271

SHA1
caecb1f4dea2dcf10429ccc8e500081e6464118a

SHA256
6127483b7966339bace02f6e1ce5c068df51c133f3e502210c226b0b79f031c1

SHA512
9e83847747bd83a4db2fa64076de51ba0090373ec87000df44189725abf02bcad7f50d42d4239ae3749bad1f284562edbd2024f8b82af421974a00b8ebaab046

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
156KB

MD5
4456f5c4ac52df73be944cc09271d7c1

SHA1
a2432bd013054fb963a14e6ae2852f6a972199f2

SHA256
104bafaef296f66eb584013f02f05171cd5eaf6158f8731bec9649079b176aa4

SHA512
8b1a4a6587146577d0a090f3985463437cb61b3e19c387d0ac82392dc286c8b5ba42de54a628e4a55158ca815099949ff969268a5d327f1cd5487fb08760248b

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
156KB

MD5
48883cf58c13a2a49bcecfb5075e17ac

SHA1
173114c232f876a39b88ba33b190575cdc24f3bd

SHA256
64fd20ce3c25b55441ab60d50db3c6fd64d65bc900337cb92c3526f9699c1c27

SHA512
c87798b7c1642dca95bdfd3e88db578b4a5ce0eb86f5f841929275d87e5299f1aa49e71690705983bb5e6db360ac309731edc652f579cf384c2f7c4d46b99b5d

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
156KB

MD5
7b3f9c299a922ec10cb217e7e2fd40a6

SHA1
53e15e755173da870a1ba11c8fd179265c4b9af5

SHA256
b29960d40bf4623ee14e782f6b560ebcc9ebf88123f769c8359fe2148aed7724

SHA512
1f2421ae1a3a3e495b52e29970a93ae646dbf31305169e618768d9cf9180df038d905ede5bbf9cd1d98e6fefff9fdea90e60895e343b58c0c17d31307b79bca2

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
156KB

MD5
d5e75085953ee7c5120f95f23fd1b861

SHA1
b027ca1cc0af1f13e3333f95bda280343de7f779

SHA256
443e6159e76ab518fc6e13a42f04586908aacf29c6e10643330d8ec4fab37913

SHA512
910e695fa25e7f5aafbde51359749eabfbe18d5ffe19af74e81ddb200a9c7e3251697cad407ea3d4eb2f1ec27741df3179ed32667d475d95bd33569844a50d83

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
156KB

MD5
8cb5425d7a72d0b5a471ea0b76b32be0

SHA1
775a80f691875beabc0e33c337e1bef76944346a

SHA256
82e1d7799deec506508223b6da5aeba0fb809ddebafc05f208b99f73dd231049

SHA512
cc0d2d31d1146a0180bb82818e209c8f6e0fcfbf2c1ab91d84734d498356bdeb97603c2606c54c0ce1fbea7317611a1ea0556469a2cd8881188bedab1f00fb2d

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
156KB

MD5
53ba8e5a80ca0a0f540df39be4689034

SHA1
4731f28407242c680b7b1abd66e34d6442c0e613

SHA256
2ab77f58e52986494af72311def1e46faf4d5f5b119f2b8e1dfc0aa583034071

SHA512
853e69e85c057f16f2823ba5c1f3bc1344c85b4d73535ac166382d6f92583c7fb6e56cceeaad90b29ac3f77f8cb9985be19938d8c68d3ed6785e097433aaaa24

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
156KB

MD5
dd6bba3b18849ccc1c7fc3e09dfcda4f

SHA1
6db9022335f5e7db681f3d7ba37b51cf28c06b6e

SHA256
c2529015e2de48de5772f0c3c9268c7b4a0b173db8a05f7eb183989473c34e13

SHA512
dc0b9a7aea51acf76d596a80f5d5ca17e8cc237bf2a24d63d949d151b8c22fb84a95eccfd882448bef4471f2ec4b47f42e5c6cb698437ad064bc01ae04e52fa0

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
156KB

MD5
56ea822493ef5b721c08bf7c95022941

SHA1
4bf9802c71eddae88d3dd3af8c6f7aff49de0a32

SHA256
d9ea451e3c40baed62610e31df3ae2dacc7499141bea3de644bb776489be877e

SHA512
6873f6f723004249fed342f0fdf0c7a7ea1da6860432b027ebc231c79b378cb37d932e266720168a06f30ac4ad6f8d7c4bccf8c5b90c94005f1f8eaa567974ee

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
156KB

MD5
82c7853e1dbd46a8cd004d69fa0d15cb

SHA1
63f6e44030e146f4b826194cf6ead84e17d6fe53

SHA256
e3b59ee593090778d047b257cf969691ca28b7a7cf1550705357c0d4c976c1de

SHA512
c602e5c0a2e579302bd791bb72fb4a4799d5ca93c0f27d6ba5e17c3c8ecda5e8d085fe884805ac66a5bbd3346a1b02b18b535c03f456081edd2b853048169dfe

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
156KB

MD5
c610c7c234f38c3e9696566a1dedaf94

SHA1
c8b0497f199ff618039715cee540ca5747d400fa

SHA256
6cb46b311c6d53aa35467bc628be8489de841cb1d3e6e9064a96d85d7a2634a3

SHA512
3fc6703f555f2933b665fba2c45d6678d337c8bc190e5dcc1637074fb2d1c23104cc3aaff0aee4df69e5ec5d2c4d8e0d7fb21cbf3395588f981baeba57503e5c

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
156KB

MD5
21a48ea50d5d10d834671f6617e20e57

SHA1
a2d3f0dd9e1b5478c3217c57292b28b6fd1ca09a

SHA256
659c93916cb4c50fbdbf838864e64047409a823f41c90370ecd034d64fbdfbec

SHA512
2348c8890b1f6a856b4696cb7fcf7dfe563d99e008af95ee71a290e60edd9f30f7a63f44ccfdbb505e8e3e7a30fd4bedf8c945b9e224431cf1f23f6a5873a75f

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
156KB

MD5
b45f89ba2aa691ef6f986e07db7b8d96

SHA1
af9f10b6aa3b9890807379ce998dd19e7f05091f

SHA256
72d58ed0dbcf75335c3c89b942d852eb7f88acc139247b5e58c50c7d836bb311

SHA512
1a9fc3400bfc91193eea40f068042210d2d88f88ae583b40f181e696d2aabab663180bc8ac24083fd8805e77049f7e0d4ea5b9bb2c58fac61cd634a46d8f4282

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
156KB

MD5
92b976e956093353df33479a6df51dad

SHA1
a1e6737fd976cb9b8b8504fa04d881928047c949

SHA256
288a5ecbe9ecafc86bd0dfbe7530972b3787ecb1831e679dc43beac785b0badf

SHA512
44f4c0939037adde1dd9a5a9df52d58a06d25bb61fc9b77b192e92fa58ad61704f0bb0e74e86236c73911686e63101dc34561b906459d4a0b29312b845762ab7

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
156KB

MD5
96e23bf2f64f72f388068ce2e75c3cc3

SHA1
36acd0529d4e4b3a419f5f24bdce66395a71c06f

SHA256
16b0e2929aa9af5db7dcf640df2e590123fa628e74421300b6de08e2beadaf47

SHA512
dc301964d73e89db19be615c31e7941ca392386080416ab585a573e6e537143155d916c1c955323b9a51aa838bb1c166a568bba7048043a8e050766091b596fc

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
156KB

MD5
f29c5b795a5643a589cae076806a5593

SHA1
48257bde8b96752daff44dd10767529c581bda73

SHA256
492f2b3e820d13ec1345fe41f88a8b4506d66aa84cdecceb0937b56e9440dc94

SHA512
7b924fbc441d898619f9adf6749bd29f5b1040fca8a22ff17ae15576e199770cf8dce837d07500b0b6aa02a4c744652060d0c2b887b415391ab445ec058b6ed7

Download Submit
memory/212-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/416-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/520-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/560-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/632-92-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/660-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1088-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1140-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1300-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1488-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1760-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1856-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2008-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2120-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2360-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2372-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2712-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3260-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3500-25-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3852-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3860-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3920-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3952-62-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4012-110-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4100-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4252-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4276-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4328-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4348-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4384-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4652-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4716-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4904-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4912-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4916-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4980-274-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5104-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-372-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads