2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe
Size

45KB
MD5

399e5ddb248845e498dabf8fcf035673
SHA1

680ecc3606d236c0617128d5714d944db3e434e4
SHA256

2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7
SHA512

5cc7a6701c6590bb7fad8bf8cae1e0dce859389174854c194a2b70c92903a47f6c6e89088170608b185f27f927fb4c83c91a2bf58d79833d6a2bc2ab06ece9f8
SSDEEP

768:fj4vo7BiRv3b0142tAJstWyIyR8PmrdCkgn/pzmQqn2u/1H5UsX:buo7BiRvrA42qJoWyIEkkgYQq7d

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejbkehcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejbkehcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dllmfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Domfgpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe

Executes dropped EXE 64 IoCs

pid	Process
2396	Dllmfd32.exe
4376	Dokjbp32.exe
4540	Djpnohej.exe
4916	Dlojkddn.exe
3340	Domfgpca.exe
3320	Dakbckbe.exe
2964	Ejbkehcg.exe
4844	Elagacbk.exe
3424	Eoocmoao.exe
2308	Efikji32.exe
2056	Ehhgfdho.exe
4836	Epopgbia.exe
4708	Eoapbo32.exe
2648	Ebploj32.exe
780	Ejgdpg32.exe
768	Eleplc32.exe
3664	Ebbidj32.exe
1588	Ejjqeg32.exe
1896	Elhmablc.exe
3244	Ecbenm32.exe
4188	Ebeejijj.exe
3400	Ejlmkgkl.exe
448	Emjjgbjp.exe
2908	Eqfeha32.exe
3092	Fbgbpihg.exe
3964	Ffbnph32.exe
4484	Fhajlc32.exe
2240	Fqhbmqqg.exe
4548	Fokbim32.exe
2196	Fbioei32.exe
2320	Ffekegon.exe
1728	Fmocba32.exe
4124	Fomonm32.exe
4080	Fcikolnh.exe
4336	Ffggkgmk.exe
1492	Fifdgblo.exe
2952	Fmapha32.exe
2680	Fopldmcl.exe
1336	Fbnhphbp.exe
3300	Fjepaecb.exe
4940	Fihqmb32.exe
4760	Fqohnp32.exe
4968	Fcnejk32.exe
400	Fflaff32.exe
2928	Fijmbb32.exe
1164	Fqaeco32.exe
516	Fodeolof.exe
4820	Gbcakg32.exe
3936	Gimjhafg.exe
4636	Gmhfhp32.exe
4696	Gogbdl32.exe
4432	Giofnacd.exe
2168	Gmkbnp32.exe
720	Goiojk32.exe
3608	Gbgkfg32.exe
4392	Gcggpj32.exe
2144	Gfedle32.exe
3848	Gidphq32.exe
1248	Gqkhjn32.exe
5068	Gcidfi32.exe
1408	Gjclbc32.exe
892	Gmaioo32.exe
2276	Hfjmgdlf.exe
2036	Hmdedo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Ehifigof.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Pjpdme32.dll	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Jiphkm32.exe	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ffekegon.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Gmhfhp32.exe	Gimjhafg.exe
File opened for modification	C:\Windows\SysWOW64\Icgqggce.exe	Ipldfi32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Eqfeha32.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Elagacbk.exe	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Eoocmoao.exe	Elagacbk.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hbanme32.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ejbkehcg.exe	Dakbckbe.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Ejjqeg32.exe	Ebbidj32.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ecbenm32.exe	Elhmablc.exe
File created	C:\Windows\SysWOW64\Jjcfkp32.dll	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Giofnacd.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Fbnhphbp.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Aiagblgj.dll	Dakbckbe.exe
File created	C:\Windows\SysWOW64\Dlojkddn.exe	Djpnohej.exe
File created	C:\Windows\SysWOW64\Ebploj32.exe	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Fihqmb32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Dllmfd32.exe	2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jiphkm32.exe
File opened for modification	C:\Windows\SysWOW64\Jbkjjblm.exe	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Fhajlc32.exe	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Fmapha32.exe	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Bobgoedj.dll	Ejbkehcg.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Jaljgidl.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6940	6772	WerFault.exe	274

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdcfcpdf.dll"	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfmmb32.dll"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppheeep.dll"	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhilofo.dll"	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedmgfjd.dll"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Haggelfd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 2396	4908	2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe	86
PID 4908 wrote to memory of 2396	4908	2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe	86
PID 4908 wrote to memory of 2396	4908	2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe	86
PID 2396 wrote to memory of 4376	2396	Dllmfd32.exe	88
PID 2396 wrote to memory of 4376	2396	Dllmfd32.exe	88
PID 2396 wrote to memory of 4376	2396	Dllmfd32.exe	88
PID 4376 wrote to memory of 4540	4376	Dokjbp32.exe	90
PID 4376 wrote to memory of 4540	4376	Dokjbp32.exe	90
PID 4376 wrote to memory of 4540	4376	Dokjbp32.exe	90
PID 4540 wrote to memory of 4916	4540	Djpnohej.exe	91
PID 4540 wrote to memory of 4916	4540	Djpnohej.exe	91
PID 4540 wrote to memory of 4916	4540	Djpnohej.exe	91
PID 4916 wrote to memory of 3340	4916	Dlojkddn.exe	92
PID 4916 wrote to memory of 3340	4916	Dlojkddn.exe	92
PID 4916 wrote to memory of 3340	4916	Dlojkddn.exe	92
PID 3340 wrote to memory of 3320	3340	Domfgpca.exe	93
PID 3340 wrote to memory of 3320	3340	Domfgpca.exe	93
PID 3340 wrote to memory of 3320	3340	Domfgpca.exe	93
PID 3320 wrote to memory of 2964	3320	Dakbckbe.exe	94
PID 3320 wrote to memory of 2964	3320	Dakbckbe.exe	94
PID 3320 wrote to memory of 2964	3320	Dakbckbe.exe	94
PID 2964 wrote to memory of 4844	2964	Ejbkehcg.exe	95
PID 2964 wrote to memory of 4844	2964	Ejbkehcg.exe	95
PID 2964 wrote to memory of 4844	2964	Ejbkehcg.exe	95
PID 4844 wrote to memory of 3424	4844	Elagacbk.exe	97
PID 4844 wrote to memory of 3424	4844	Elagacbk.exe	97
PID 4844 wrote to memory of 3424	4844	Elagacbk.exe	97
PID 3424 wrote to memory of 2308	3424	Eoocmoao.exe	98
PID 3424 wrote to memory of 2308	3424	Eoocmoao.exe	98
PID 3424 wrote to memory of 2308	3424	Eoocmoao.exe	98
PID 2308 wrote to memory of 2056	2308	Efikji32.exe	99
PID 2308 wrote to memory of 2056	2308	Efikji32.exe	99
PID 2308 wrote to memory of 2056	2308	Efikji32.exe	99
PID 2056 wrote to memory of 4836	2056	Ehhgfdho.exe	100
PID 2056 wrote to memory of 4836	2056	Ehhgfdho.exe	100
PID 2056 wrote to memory of 4836	2056	Ehhgfdho.exe	100
PID 4836 wrote to memory of 4708	4836	Epopgbia.exe	101
PID 4836 wrote to memory of 4708	4836	Epopgbia.exe	101
PID 4836 wrote to memory of 4708	4836	Epopgbia.exe	101
PID 4708 wrote to memory of 2648	4708	Eoapbo32.exe	102
PID 4708 wrote to memory of 2648	4708	Eoapbo32.exe	102
PID 4708 wrote to memory of 2648	4708	Eoapbo32.exe	102
PID 2648 wrote to memory of 780	2648	Ebploj32.exe	103
PID 2648 wrote to memory of 780	2648	Ebploj32.exe	103
PID 2648 wrote to memory of 780	2648	Ebploj32.exe	103
PID 780 wrote to memory of 768	780	Ejgdpg32.exe	104
PID 780 wrote to memory of 768	780	Ejgdpg32.exe	104
PID 780 wrote to memory of 768	780	Ejgdpg32.exe	104
PID 768 wrote to memory of 3664	768	Eleplc32.exe	105
PID 768 wrote to memory of 3664	768	Eleplc32.exe	105
PID 768 wrote to memory of 3664	768	Eleplc32.exe	105
PID 3664 wrote to memory of 1588	3664	Ebbidj32.exe	106
PID 3664 wrote to memory of 1588	3664	Ebbidj32.exe	106
PID 3664 wrote to memory of 1588	3664	Ebbidj32.exe	106
PID 1588 wrote to memory of 1896	1588	Ejjqeg32.exe	107
PID 1588 wrote to memory of 1896	1588	Ejjqeg32.exe	107
PID 1588 wrote to memory of 1896	1588	Ejjqeg32.exe	107
PID 1896 wrote to memory of 3244	1896	Elhmablc.exe	108
PID 1896 wrote to memory of 3244	1896	Elhmablc.exe	108
PID 1896 wrote to memory of 3244	1896	Elhmablc.exe	108
PID 3244 wrote to memory of 4188	3244	Ecbenm32.exe	109
PID 3244 wrote to memory of 4188	3244	Ecbenm32.exe	109
PID 3244 wrote to memory of 4188	3244	Ecbenm32.exe	109
PID 4188 wrote to memory of 3400	4188	Ebeejijj.exe	110

C:\Users\Admin\AppData\Local\Temp\2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe
"C:\Users\Admin\AppData\Local\Temp\2630f081e67197af05bb0012b925e1bfdcf7dfe2048d306ac482a7f85fc214c7.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\SysWOW64\Dllmfd32.exe
  C:\Windows\system32\Dllmfd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\Dokjbp32.exe
    C:\Windows\system32\Dokjbp32.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\SysWOW64\Djpnohej.exe
      C:\Windows\system32\Djpnohej.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4916
      - C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:448
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3092
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        29⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        30⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        32⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4124
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        35⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        38⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        41⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        43⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        46⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        51⤵
        Executes dropped EXE
        
        PID:4636
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        54⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        55⤵
        Executes dropped EXE
        
        PID:720
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        58⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        59⤵
        Executes dropped EXE
        
        PID:2144
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1408
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        66⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        67⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        68⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        70⤵
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        71⤵
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        72⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        73⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        74⤵
        
        PID:632
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3384
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        77⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        80⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        82⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4036
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        84⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5076
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        87⤵
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2932
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4016
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        90⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        91⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        93⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5348
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        97⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        98⤵
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        99⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        101⤵
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5720
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        104⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        105⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5948
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        109⤵
        Drops file in System32 directory
        
        PID:5996
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        110⤵
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        111⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6120
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5136
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        115⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        117⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        118⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        119⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        120⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5780
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5916
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        126⤵
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        127⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5196
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5332
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        130⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        132⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        135⤵
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        136⤵
        Modifies registry class
        
        PID:6116
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        137⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        138⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        139⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        140⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        141⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5388
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        145⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        147⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        148⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6052
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5772
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        151⤵
        Modifies registry class
        
        PID:6184
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        153⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        154⤵
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6348
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6388
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        158⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        159⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        160⤵
        Modifies registry class
        
        PID:6568
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6608
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        162⤵
        Drops file in System32 directory
        
        PID:6652
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6692
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        164⤵
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        166⤵
        Modifies registry class
        
        PID:6820
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        167⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        168⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6948
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        170⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        172⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7116
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        174⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        175⤵
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        176⤵
        Drops file in System32 directory
        
        PID:6220
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        178⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        179⤵
        Drops file in System32 directory
        
        PID:6448
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        180⤵
        Modifies registry class
        
        PID:6512
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        181⤵
        Drops file in System32 directory
        
        PID:6544
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        183⤵
        Modifies registry class
        
        PID:6700
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        184⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6772 -s 412
        185⤵
        Program crash
        
        PID:6940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6772 -ip 6772
1⤵
PID:6884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
45KB

MD5
d99e1d70e48179683e0c28a6e1415c26

SHA1
752d0cb83b6300ee6ae2d9bd23d4170c1df1cc33

SHA256
c71e6fcae625ac3f945aa763198c601c4bea9d4938ecb5829011597729eb03d7

SHA512
e7fd56185afad2ccbbc22180f4dc1db62f2a214d07e854ef3091a22b61e6ae615af8525eb4ded80f4171e1456a6a1f025328f7706f8672e69f57b1f87ea87b61

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
45KB

MD5
43c643f9fe216c61a27b90545dd1f27d

SHA1
c0f58d79f2333577dea30ef8da92e2a131277dd0

SHA256
a08b7d165428488ccc66625f5b07f7be7b3c9916d25e4794a02b9db26cf71f66

SHA512
3b0b907962f98fea644d24261436a5e6548acc00d79bb55f4f4789a07bf8288ee7637d7ba107d5c34e85b5afd6509ab3d4908510e5e301380adb74cda6a84707

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
45KB

MD5
ec38a156e20365e5f88ac3c50988e399

SHA1
32d8d3e2542d4c0cc2e7f542b438ad2f47d36f35

SHA256
67ef40742e12fde141c35134818e1e6e31d375eeb988e65b4e7006281c9686d0

SHA512
d739b74ed14f75bcf3d5158df8a17222ef9272d803de54b78d7dd74e23d6d45651dabaf12b7afac839fe95f0f2de97630c46985638987f951e9050d8e67638b3

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
45KB

MD5
932e37d73505aa4b145450932a66833d

SHA1
35e5fcce768dd15f33ca91b834aa458e2b06fa4d

SHA256
65d5d9a0f759b7f85474ac56aead55db09f237b0f0d4386de48b8bf6897a06e2

SHA512
5b25d90fcdafcf7e8ea5aee4ffc144d4002e5556aa3b30371d06978d58898da4d2dad2656aee2857d37130c68ec748d337e03986f3d511120e24ea6ee87ab474

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
45KB

MD5
67a6bb3b16bf36700d2f263aab70e8e8

SHA1
ac0dcf8b56aaff430332b16145634d7a868322b6

SHA256
96507c0b0e95ee5b0c9b486a184a5b0cc084b49de615de03b28a6cd2425da894

SHA512
83b5573a689b205a0287481eda4c184f03528f9fc0f3e0f73ad1e366a65206b107049faf49ecf2dd062e47dc07040549ad8446d9a4ccb9a672d077aace2997c5

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
45KB

MD5
a3f89412a2c4d0c295bb060724a4f0c9

SHA1
2dbef4f91fe98b5315311930c19ae5949b13c9ae

SHA256
8aa2bc21e5f7adb0bc6fac8ebe72b5f0f42c57825b80ccf5112c32b602b5fffa

SHA512
1ec153e3e51e252718d5682127a567dc6a72221cdf3a67c8414c3dbe81d46d001df0168e22e3c841e26654d1ace8243c2118445355c26ef5f45aae53c1fa3f15

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
45KB

MD5
721ad3a986f820d2cbe06e351a576d1a

SHA1
cbd8fb1c986d368c927047d7729538b793823e8d

SHA256
c319020c57b4810abacbfd8798769cac66b5aa5b73269da2a1829a20a65b93b0

SHA512
1c64daa05a4ba1eb74a6709bd700b37fbb1ff105204916bb07eaa43b232d8d385bc87eb41b79fa271a3dd8552135d02166ce0c42ca70ef85d8796ca3f34a62b7

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
45KB

MD5
3ff08469c57ac587b673547bf72ed1dd

SHA1
6ea50b1972543bf794c4ec54ff3d8ff45f304338

SHA256
22f63ebf02a02f07a0188bad0fb20b68cf7623ec3cabed3431af2c3e2f2c8eff

SHA512
da72ca3a66b8c4bf7d2d53b623ad81643e4b7514a7b5bb82da1810dbcf8867781d43c70c25b4716e3691888b7d4765247caaf073b8719e0e12704a581c5078b7

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
45KB

MD5
8238893f062d489aecd5f5e2963b30c9

SHA1
235e98859519f0af44fbdddb734efea41b5de7bc

SHA256
f2dd885a5e8d9098ad6933d0d7dd311e93f1d3cf96445f7daee16e8268137375

SHA512
0814565996e064848908f3c99e7c6703ebe6eee9ddf2c3dda5f4345d757a199be072e15bd2e579cf1bba68c654bf4aca6919f5ebebb0ad0dc36926a2d46a6f36

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
45KB

MD5
cd6328b9bae18570cd4a7ba72b555937

SHA1
f39356f5e9fcb06a5e7e74da9d8bf1109cce4bab

SHA256
9ad9b44b73b8cee80067c568534d25126cd9a04feaedd48ff42ae3087f642e09

SHA512
988d71d2d230d5297b3d91134b0563305de2dd3f4b4a9d8fde9fe12f6e000ab3a37c576466d5bb10f64c546b60a1ced4395791836499c36cf234305f965a32ba

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
45KB

MD5
7c438fd60c94dfdf5ab3639700ac1010

SHA1
fd16899ec7923900273254633d2a62a04aa251fe

SHA256
0ebc53db318d4848d1e7c946aee7bfb02de77834ba1a41fbf6c9b87de78c9e59

SHA512
c1a7c2a6d4ae0f18e80b2911f84d85b10c9e3071d4a6992f476fc924f84b8c201163a8d1fed82d00a2951293fb88e7a24761afb314743329658759521d48091d

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
45KB

MD5
e9a6e134e31249f995740cf613f94650

SHA1
3c20c09098734c74de514d0e909ac743bbe2b81d

SHA256
232729e96e50c9bb28f7b056eb0346c722907c07295f4074fe857465822e3390

SHA512
49cd56b6d80feca6145d341accbb189d635d9b9b9674a94b2481f216a750c841809b3cc6597a0ec4a1674966c020935bfdd7aa230cb40fa6c040bdd6b67f3cf9

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
45KB

MD5
8d2e32ac66504f3d76ecebff02f86407

SHA1
c0aba830bbd9c36e745f04369a60004cfbd6cf36

SHA256
2fb8230f63f45449a5784913915d82d49316ee3c8366890e223c696a035291bc

SHA512
68d564d50f45c4c4d8096d9b84166fe712fea971587443182441a7ffc2b327fb6bd4c9bac9841326f2a989cdd459fe6dfb479856f3030eaf946c6718e74e86d5

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
45KB

MD5
7cea8a45f7ed5932096d6ae77f71d827

SHA1
f0e30d5835553eab341f4979b08ce4b6e0a3d5a1

SHA256
6b29b5916858106df048d05d289649743d3773634f835e98a0cae625ec56e9ef

SHA512
60de9ba896112fc40aad3f9e83d2fb65c88610bbbefd5310f6e35bcc3c0ffd4a07fc93f3e44b30b95665b6f880a9dcec5066c78e82c0c3f65d1338a3cb48bf3b

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
45KB

MD5
cdf38c981a0a1fdd0ae0326879fb90c1

SHA1
6e2d00704d7ff013993788faf725c67d6597b570

SHA256
a0859bc2a90c4407183ce98327ed4c1da4607af66fa0a3b0f3f0240a64aef901

SHA512
5c296ffbd1030ce951cba26767c23a5710dfeea152021d7f7626f58cce85ee5a095c6d412ad8ebdfb33ac193a6f60c398a78977d993432eafd1301b96b6072cc

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
45KB

MD5
2115df47a04fca87472c5cd5de02ecc8

SHA1
778c88a9739c4ea75843d36ed8ccdea31e0f16e1

SHA256
6dc9aae71fc85551b517c2b84136c91fe7dd0a28a5681c7631ce9744065b6a61

SHA512
2102e6fe000c461e596bbe395ddf2137008916fef24ef2a6fe4ca3434ece3ecf37ecd60ddbe4aa765a2c187c3c6b2cedb5c1afe6a9ec0f174a18a83b014c4f5e

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
45KB

MD5
94f3710e6da15ff0993a16c3b9964c8b

SHA1
02b89b4ee7b239494b8eb075db1963b4435ea63e

SHA256
64053e5393ee755c720fd4330657f8d556ffafadcd87c7a4cecfefa5c65a2316

SHA512
59d354ac8fd8df956d7d04288d0c8f6251f8b63ee9100705f305cd6c26dc2672876c097a5dac07f0c1006ad9d4927687f3c0051b5e1d0bc837190ca68090df33

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
45KB

MD5
d8ac6f8f494d327ba62d8e30f854d836

SHA1
5c99b4d73c1548027fc60493f6333b553983b38d

SHA256
27ad50eb6689c23cd668b37607d5f6d990e86e789472066f46b6e80850eb1027

SHA512
11741828e78a3647fa027a4a0c3177997aee4895d4660de5cb9826ad62333d0650ca29ee6eff9efeeabee2f76e06dbe57909cdb48055adaf09bbbec48bca9185

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
45KB

MD5
04dc91cc6e962541bf1fea438a80ef92

SHA1
c8978924bf7f067f68f0377102b68681b6b6b2bf

SHA256
b3b186de93d7d2c9ee868d64355a035215a2be2d17e4c2739a04ece86e37a1b3

SHA512
4c443091c718532ef8dc6dfa91f7c40b2a820e6f17ed540e0486489e05eea1aa97a8088f4171a5c2cf3fc35a8c4f3f130559ddd3b09665da0c739f06c4afa05d

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
45KB

MD5
c3566171ca8f406ab13c3df2a20498d0

SHA1
eda95621bc04de412f00d73ee5932b6b5a6695a1

SHA256
c5c0b4fd910d9cd8e1d1f95f7f1203a57c0da4dcefb3fcfd222dd3d8349b0541

SHA512
9e0a1dcd0d73c9e9b3a032b5363b10d3b867c5267d79d30e3ef2ab3191340d9eaf55f4c4a7e933e87f41e16a37f041dc57a6e0b2d5d630255401418a7179ece7

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
45KB

MD5
5fe925ae770debaeb034cadb256e61da

SHA1
c4b4069304b441a2396d901d4821a67c78c18f66

SHA256
f687ff8a3724267303f246ab8859df4a23755495fc3fcd59d8bf34cc44d28fba

SHA512
a948691f6511c5210ad2eca60bb45bec51fab6a5b23b5981d4c3bece6b1c60672613619901087c2441016b6a7c96e2f47fe1e30db23002b848dcdb44f56917a9

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
45KB

MD5
1b566b9adda95e4bf222b80726d97c74

SHA1
e839703f9234cf98c8ba791709b134bf212dbdeb

SHA256
af710f065809190c04523be03fe6940ce1eb36bc3395f32de5e69215e896305f

SHA512
bf53cb7fe18f4f51a31c3a529ef8cce540b49aa14268e10542ed5b09339d83c799c8f16c84946f9283ec7e3e82ce91803add1e83e27e4a41f9a83756c78a74ac

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
45KB

MD5
8c1ba27f21c449cc873c4365016cad4f

SHA1
e98580624ae0f50c33eb8278223233942250b0d7

SHA256
90c4d9b6ba72d0d51e4421f7c621c4a94672b167659eef99b21b57c5980c2c8e

SHA512
5b62675908234a3f89a4b31c8aec5bad09f21b870aa2d8fd35b24544971202dba8df9a0a9d518e7a8dc8b981f1aace5e44954cf5499e4277c3df55214b0e8eae

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
45KB

MD5
7916ad5cbeb429aa3715d2866119e1a6

SHA1
4cb94bece66922c621d7fc78027daa65171c5e98

SHA256
d4171fc48a3ebf89626770cfbefa3cc4b3a16cca98f8c900d8578b51b70391ea

SHA512
7fab2a22d0edc193f4adb534e8caf452f170f4b1e2e59874660a22c43fa202b97e3706ab55447623d8b4d0fe7699b41a6408d7dfb45a674297f5039035d11ef9

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
45KB

MD5
b7720c862a457ac2060b4bbf77676c25

SHA1
fd959137f0f799abc5c88fa6b68348a46e35415b

SHA256
37209e033ae4eaf4def619766b90ab56a221c9366bcdae8c790e5ef4594656eb

SHA512
0968da3ef037a5b9561f0bfee1c72afc72423bba1d2853a79f4bb24d174a606e7efe416bce26193a5825be82c7d6362ef4fe2b30acd027ed47f9014ad3e2884f

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
45KB

MD5
efb67e85a05c95ace8e77075776b5717

SHA1
7bd893030bbeb158cf59885ecbee7146b1de6aae

SHA256
399b6b0bbea0fe2ab208de582ef2f4d8841b345707c8f005bb296b3733fbaf31

SHA512
ef47b5f986df9ddda8d55a60cc204e7fc1152c7c72ab512a23bf8f067cc743075d4df41432c8db204ba96d4534df549b0cecb656274e681fd2a16b591ec055de

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
45KB

MD5
47ec1dcfcfe130d637ee8ab673e06e52

SHA1
61c8a7d3b4dc7a632d5829d9f78f3f27855fd0f8

SHA256
df044af2af5fe0929cb80bbd0ca907c2e2e7929d84880f714b0b6c3cd02f7360

SHA512
2121a6dccfb3b6b76903e221c530e16721d41a690977f1404f2bf017a5e8336feb3c6b6581634c83b601e343f5fe25a7e47544076833e16cde9ef367373879d9

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
45KB

MD5
cc2b6fe6120e9e46340c7cdc7cb18c13

SHA1
0958f9e4880aa28d91478935cb69f7d08c1c8945

SHA256
92694fc5532d5eb1fc675481c775e01a2c02acd760132ea4d6a92cdc3355500c

SHA512
64f594ab789c65231159b8694d8a5599ffa4dd3d419aae47cfce4381c7beba7f51cfca99c8ee5e648e5897a326048a0dbedf978d59c9f0ccd378c6c3cf33cd1a

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
45KB

MD5
d83f5637cb64eeeea06941ebfd1b6b97

SHA1
cb0ec4966a28abfc901e541aea28cc8f48d6f967

SHA256
13155e7f604cff8c142e04c6d962983934644405cb93c9e7f821a707b0cd04ea

SHA512
60d242b09acb1817b629f138f1347d1b192e89bf9aad1b4cd4777cb4cf7fa6ead797c55751f1680664c71cc273b76d29b38697a68d697f6c42a8d8b7e8154207

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
45KB

MD5
bb595874e544d7713370fce671090b76

SHA1
9bb65e6de8d1789f6261a713039f4c87049db053

SHA256
5e2dca9a5301fe6cb36cc582fc132254f955269910efa99939bc743abf60f32d

SHA512
41e582417adb2b3f93974f32f1ad2b4fb183406ff3acec980d6234140fe82d1dfe514d7a24905837c59a6fa5897821eb2f10583d5200758569898a66deb71e3e

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
45KB

MD5
9c344c5638961702d581d1519b26376d

SHA1
09b38722c1cf5b5ef3f9a61bf70ca5540a19d3b1

SHA256
9f54f22237d56e8e889b658d10819a21fb5d35f7bda45ddbecd5f2bd1269aceb

SHA512
935bcdc08e4cc580f5caa50c446e524ac489ae8a1033ef93a123cd526860c9bf0642fa4b9fa2df40863f71c6734f2073b33d4ed44f97be98871893dff1aa9072

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
45KB

MD5
6a1d02cf950012c414e4678443d43ac1

SHA1
57e2a90c408da2ff46594dd13e0790839ea3ddfe

SHA256
8ea4a24be13205327e910021117e66fb25aa24817922444c0166f4102a7b1830

SHA512
e6fb52c8e37fc4609676040a5b6b4160ae1902de80079666594bffe18100df757a309d41ad2388803e1a0e770e43c8040166116f76fa9a33c04ddf66b16b9b48

Download Submit
C:\Windows\SysWOW64\Gqkhjn32.exe

Filesize
45KB

MD5
0ddf23ff286a5ae3c44b2a70c8d3288e

SHA1
dab6f62bdbc06b184183ebf21adce1b9f2e5be86

SHA256
72f9c368fa23b3be1509c6cd7fbf802c1f406c1f7b6b41110dcc49cd0ec4a864

SHA512
8186b7b04c8af63bef210dc09ec87bb0b075f6f89624c27f7cda2d0a34e77200e710e1367704d49eaab0e0fda267dc5cd075d3dd6bae8027e95f08f36c54c9d7

Download Submit
memory/400-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/516-346-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/720-393-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/780-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/892-437-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1248-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1336-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-431-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1588-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1772-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1896-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2056-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-224-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2320-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2396-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2648-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2964-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3092-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3244-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3300-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3320-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3340-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3400-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3424-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3608-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3664-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3848-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3936-362-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3964-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4080-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4124-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4336-274-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4376-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4432-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4484-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4636-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4696-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4708-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4760-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4820-352-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4836-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4908-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4968-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5196-1283-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5440-1281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5536-1280-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5632-1272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5700-1290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5772-1261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5908-1277-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6004-1286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6176-1236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6184-1260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6232-1259-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6272-1258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6300-1234-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6312-1257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6388-1255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6476-1253-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6544-1230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6692-1248-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6700-1228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6776-1246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6864-1244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6904-1243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7076-1239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7160-1237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads