b10b93b840eacc3455b7b42296c32f0fe1d93b1ef290259d72bbff44a5323b59

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b10b93b840eacc3455b7b42296c32f0fe1d93b1ef290259d72bbff44a5323b59.exe
Size

448KB
MD5

f6b722eba2114c9c196de7cba326e904
SHA1

d2a1922d077da7f2c486925eaee872606f99a8c8
SHA256

b10b93b840eacc3455b7b42296c32f0fe1d93b1ef290259d72bbff44a5323b59
SHA512

2b7e636ea46140e49cba3b6b0e510e3335171c0d2c98e9a8d99b299a5fc4d5ca59794436b3e021e9a1d2826a33e8288cef33d9bf9084fd565a4c589b1f6ee569
SSDEEP

6144:O5RKMUqY20qMd7aOl3BzrUmKyIxLfYeOO9UmKyIxLiajOEjXP3HBsR4/0ePGSzxC:O5RK7q147aOlxzr3cOK3TajRfXFMKNxC

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlojkddn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbioei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Camfbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqciba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe

Executes dropped EXE 64 IoCs

pid	Process
2312	Chebighd.exe
1672	Cpljkdig.exe
3616	Camfbm32.exe
2724	Cpofpdgd.exe
3012	Capchmmb.exe
856	Dlegeemh.exe
5036	Dphifcoi.exe
4216	Dokjbp32.exe
956	Dlojkddn.exe
60	Domfgpca.exe
1232	Elagacbk.exe
4228	Eoocmoao.exe
4112	Ehhgfdho.exe
768	Epopgbia.exe
4132	Eflhoigi.exe
3936	Eqalmafo.exe
4636	Ecphimfb.exe
1336	Ejjqeg32.exe
3580	Eqciba32.exe
4068	Ecbenm32.exe
3056	Ehonfc32.exe
5104	Eqfeha32.exe
4772	Ecdbdl32.exe
4444	Fbgbpihg.exe
4364	Fqhbmqqg.exe
4868	Fbioei32.exe
4504	Ffekegon.exe
4800	Ficgacna.exe
2580	Fmocba32.exe
4344	Fqkocpod.exe
3992	Fcikolnh.exe
984	Ffggkgmk.exe
3296	Fmapha32.exe
3912	Fopldmcl.exe
4180	Fckhdk32.exe
3620	Ffjdqg32.exe
972	Fjepaecb.exe
1660	Fihqmb32.exe
4416	Fmclmabe.exe
1588	Fobiilai.exe
4396	Fcnejk32.exe
1612	Fflaff32.exe
464	Fijmbb32.exe
3092	Fqaeco32.exe
2004	Gcpapkgp.exe
4544	Gfnnlffc.exe
5016	Gmhfhp32.exe
4428	Gogbdl32.exe
3292	Gfqjafdq.exe
5020	Giofnacd.exe
4304	Gqfooodg.exe
4980	Gbgkfg32.exe
4472	Gjocgdkg.exe
2196	Giacca32.exe
3240	Gbjhlfhb.exe
3728	Gfedle32.exe
2912	Gcidfi32.exe
1848	Gfhqbe32.exe
2884	Gmaioo32.exe
3236	Hclakimb.exe
3424	Hapaemll.exe
816	Hbanme32.exe
4292	Hfljmdjc.exe
1880	Hmfbjnbp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jbocea32.exe
File opened for modification	C:\Windows\SysWOW64\Eoocmoao.exe	Elagacbk.exe
File created	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Fqkocpod.exe	Fmocba32.exe
File created	C:\Windows\SysWOW64\Hcqjfh32.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hfachc32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Domfgpca.exe	Dlojkddn.exe
File created	C:\Windows\SysWOW64\Hofddb32.dll	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Kilhgk32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Gbjhlfhb.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Fcikolnh.exe	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Fbioei32.exe	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Ijfboafl.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Cichoi32.dll	Ehhgfdho.exe
File opened for modification	C:\Windows\SysWOW64\Gbgkfg32.exe	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Iabgaklg.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Bejnmepn.dll	Eflhoigi.exe
File opened for modification	C:\Windows\SysWOW64\Gfhqbe32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Hiaohfpc.dll	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ejjqeg32.exe	Ecphimfb.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hcqjfh32.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Gagaaq32.dll	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ecbenm32.exe	Eqciba32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Llebfo32.dll	Fbgbpihg.exe
File opened for modification	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Himcoo32.exe	Hjjbcbqj.exe
File opened for modification	C:\Windows\SysWOW64\Elagacbk.exe	Domfgpca.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Capchmmb.exe	Cpofpdgd.exe
File created	C:\Windows\SysWOW64\Ffekegon.exe	Fbioei32.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Laopdgcg.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Plbehnol.dll	Capchmmb.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	Ffekegon.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Fjepaecb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6400	6264	WerFault.exe	266

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampkqqjm.dll"	Epopgbia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfifijhb.dll"	Cpofpdgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibgnfha.dll"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlnpc32.dll"	Camfbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giacca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpljkdig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpgdbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b10b93b840eacc3455b7b42296c32f0fe1d93b1ef290259d72bbff44a5323b59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhollf32.dll"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbdfmi32.dll"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Camfbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifopiajn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 2312	4840	b10b93b840eacc3455b7b42296c32f0fe1d93b1ef290259d72bbff44a5323b59.exe	91
PID 4840 wrote to memory of 2312	4840	b10b93b840eacc3455b7b42296c32f0fe1d93b1ef290259d72bbff44a5323b59.exe	91
PID 4840 wrote to memory of 2312	4840	b10b93b840eacc3455b7b42296c32f0fe1d93b1ef290259d72bbff44a5323b59.exe	91
PID 2312 wrote to memory of 1672	2312	Chebighd.exe	92
PID 2312 wrote to memory of 1672	2312	Chebighd.exe	92
PID 2312 wrote to memory of 1672	2312	Chebighd.exe	92
PID 1672 wrote to memory of 3616	1672	Cpljkdig.exe	93
PID 1672 wrote to memory of 3616	1672	Cpljkdig.exe	93
PID 1672 wrote to memory of 3616	1672	Cpljkdig.exe	93
PID 3616 wrote to memory of 2724	3616	Camfbm32.exe	94
PID 3616 wrote to memory of 2724	3616	Camfbm32.exe	94
PID 3616 wrote to memory of 2724	3616	Camfbm32.exe	94
PID 2724 wrote to memory of 3012	2724	Cpofpdgd.exe	95
PID 2724 wrote to memory of 3012	2724	Cpofpdgd.exe	95
PID 2724 wrote to memory of 3012	2724	Cpofpdgd.exe	95
PID 3012 wrote to memory of 856	3012	Capchmmb.exe	96
PID 3012 wrote to memory of 856	3012	Capchmmb.exe	96
PID 3012 wrote to memory of 856	3012	Capchmmb.exe	96
PID 856 wrote to memory of 5036	856	Dlegeemh.exe	97
PID 856 wrote to memory of 5036	856	Dlegeemh.exe	97
PID 856 wrote to memory of 5036	856	Dlegeemh.exe	97
PID 5036 wrote to memory of 4216	5036	Dphifcoi.exe	98
PID 5036 wrote to memory of 4216	5036	Dphifcoi.exe	98
PID 5036 wrote to memory of 4216	5036	Dphifcoi.exe	98
PID 4216 wrote to memory of 956	4216	Dokjbp32.exe	99
PID 4216 wrote to memory of 956	4216	Dokjbp32.exe	99
PID 4216 wrote to memory of 956	4216	Dokjbp32.exe	99
PID 956 wrote to memory of 60	956	Dlojkddn.exe	100
PID 956 wrote to memory of 60	956	Dlojkddn.exe	100
PID 956 wrote to memory of 60	956	Dlojkddn.exe	100
PID 60 wrote to memory of 1232	60	Domfgpca.exe	101
PID 60 wrote to memory of 1232	60	Domfgpca.exe	101
PID 60 wrote to memory of 1232	60	Domfgpca.exe	101
PID 1232 wrote to memory of 4228	1232	Elagacbk.exe	103
PID 1232 wrote to memory of 4228	1232	Elagacbk.exe	103
PID 1232 wrote to memory of 4228	1232	Elagacbk.exe	103
PID 4228 wrote to memory of 4112	4228	Eoocmoao.exe	104
PID 4228 wrote to memory of 4112	4228	Eoocmoao.exe	104
PID 4228 wrote to memory of 4112	4228	Eoocmoao.exe	104
PID 4112 wrote to memory of 768	4112	Ehhgfdho.exe	106
PID 4112 wrote to memory of 768	4112	Ehhgfdho.exe	106
PID 4112 wrote to memory of 768	4112	Ehhgfdho.exe	106
PID 768 wrote to memory of 4132	768	Epopgbia.exe	107
PID 768 wrote to memory of 4132	768	Epopgbia.exe	107
PID 768 wrote to memory of 4132	768	Epopgbia.exe	107
PID 4132 wrote to memory of 3936	4132	Eflhoigi.exe	108
PID 4132 wrote to memory of 3936	4132	Eflhoigi.exe	108
PID 4132 wrote to memory of 3936	4132	Eflhoigi.exe	108
PID 3936 wrote to memory of 4636	3936	Eqalmafo.exe	109
PID 3936 wrote to memory of 4636	3936	Eqalmafo.exe	109
PID 3936 wrote to memory of 4636	3936	Eqalmafo.exe	109
PID 4636 wrote to memory of 1336	4636	Ecphimfb.exe	110
PID 4636 wrote to memory of 1336	4636	Ecphimfb.exe	110
PID 4636 wrote to memory of 1336	4636	Ecphimfb.exe	110
PID 1336 wrote to memory of 3580	1336	Ejjqeg32.exe	111
PID 1336 wrote to memory of 3580	1336	Ejjqeg32.exe	111
PID 1336 wrote to memory of 3580	1336	Ejjqeg32.exe	111
PID 3580 wrote to memory of 4068	3580	Eqciba32.exe	112
PID 3580 wrote to memory of 4068	3580	Eqciba32.exe	112
PID 3580 wrote to memory of 4068	3580	Eqciba32.exe	112
PID 4068 wrote to memory of 3056	4068	Ecbenm32.exe	113
PID 4068 wrote to memory of 3056	4068	Ecbenm32.exe	113
PID 4068 wrote to memory of 3056	4068	Ecbenm32.exe	113
PID 3056 wrote to memory of 5104	3056	Ehonfc32.exe	115

C:\Users\Admin\AppData\Local\Temp\b10b93b840eacc3455b7b42296c32f0fe1d93b1ef290259d72bbff44a5323b59.exe
"C:\Users\Admin\AppData\Local\Temp\b10b93b840eacc3455b7b42296c32f0fe1d93b1ef290259d72bbff44a5323b59.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\Chebighd.exe
  C:\Windows\system32\Chebighd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\Cpljkdig.exe
    C:\Windows\system32\Cpljkdig.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\Camfbm32.exe
      C:\Windows\system32\Camfbm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3616
    - - C:\Windows\SysWOW64\Cpofpdgd.exe
        
        C:\Windows\system32\Cpofpdgd.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\Capchmmb.exe
        
        C:\Windows\system32\Capchmmb.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Dlegeemh.exe
        
        C:\Windows\system32\Dlegeemh.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4800
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        32⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        33⤵
        Executes dropped EXE
        
        PID:984
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        37⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        39⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        40⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        43⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        44⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        49⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        51⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4472
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        57⤵
        Executes dropped EXE
        
        PID:3728
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2912
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        61⤵
        Executes dropped EXE
        
        PID:3236
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        62⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:816
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        64⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        66⤵
        Drops file in System32 directory
        
        PID:4520
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4000
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        70⤵
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:488
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        75⤵
        
        PID:776
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1784
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4284
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        78⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3976
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4212
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        82⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        83⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2476
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        88⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        90⤵
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        92⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        93⤵
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        94⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        95⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        97⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        98⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        100⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        102⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        103⤵
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5860
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        105⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        106⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6000
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        108⤵
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        109⤵
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        110⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5228
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        114⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        115⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        116⤵
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        117⤵
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        119⤵
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        122⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        124⤵
        Drops file in System32 directory
        
        PID:6068
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        127⤵
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        128⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        130⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        133⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        134⤵
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        135⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        136⤵
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        137⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        138⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        139⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        140⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        142⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        143⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        144⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        145⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        147⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        149⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6224
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        151⤵
        Drops file in System32 directory
        
        PID:6268
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        152⤵
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        153⤵
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        155⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        156⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6512
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        158⤵
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        159⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        160⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6688
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        162⤵
        Drops file in System32 directory
        
        PID:6732
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        163⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6868
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6916
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        167⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        169⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        170⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        171⤵
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        172⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        173⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        174⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6264 -s 420
        175⤵
        Program crash
        
        PID:6400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6264 -ip 6264
1⤵
PID:6396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Camfbm32.exe

Filesize
448KB

MD5
97fa82d43426f4a88aec978311a1d34a

SHA1
f93e5a31b09fb95fa61d4158be29c5c6e26d91f9

SHA256
243ad35657813d87022f99e88846e69dd6ebe827039e94beba1df791ff889439

SHA512
db6a9f1d3d3c09c083deac26652f4497f1b22a33ee85a5a92a9ff2396e3a790a6f83827e58b76f91d8288d6f1eb5171d5bd76fac92a608fb74d07c4e1103b695

Download Submit
C:\Windows\SysWOW64\Capchmmb.exe

Filesize
448KB

MD5
73784181ae8d682dea1699c76381a525

SHA1
b0691de687976fde588c6d225a01312db9fba4e9

SHA256
a9de56ea23ca04e7e38f5f930ea7704357f060f96abf7bd68e8162c626748c17

SHA512
5595db41840e79abe47cfec9ab03dba9d45c62eaeebf1c02f710c6b31a9f210de605c77645fcee65fdf11e5c0bf4dc88a592d96618c06eb8cdd5e04d7fc15ef7

Download Submit
C:\Windows\SysWOW64\Chebighd.exe

Filesize
448KB

MD5
59ce4e4755ef19458d42c7f4bf4067de

SHA1
0a47562f94628a9753c50d34801a2ccd4780cfe3

SHA256
d805935d68bba63d3dc300f57b57bcd2897e2c1b163cefe8faba6ce6e01ff73a

SHA512
858ba77692fd6a3e87d97f4a3bb80f26ffa77e2cea6c49b935a55fde0205e180a152d1e9e9116ab1761ec69a5246c18c85cd8088b521b52dd321c47aaf66ddb8

Download Submit
C:\Windows\SysWOW64\Cpljkdig.exe

Filesize
448KB

MD5
9357e99434dff4c0d3ffbe7e604a7a99

SHA1
fe01abb3e922d33af404bbb96effa71006e21861

SHA256
a29ae9ce068103d13cdcabb6e2be87dd3eb4356f4f8a8e6a61b9d1aa0fd60da8

SHA512
4e9362097c81b8676c2b628bcdf4be36857cbddbf2ee28567d0c734b68e8539c2dff40e5206b59d723ab10d22f6c6c3ad11bdd82bcaa32b38a91a7fd336d9fb2

Download Submit
C:\Windows\SysWOW64\Cpofpdgd.exe

Filesize
448KB

MD5
63ac69d7307f176aceece3b38f8b7a39

SHA1
1040041170c6c910c00b21bda823aac5881ce73d

SHA256
17d7f2e93b061275796a596fe53f22c5f517ec5e6ea2470bf3b1b42536c7241f

SHA512
58df8e0eb230f90fac7aee34c6d395fb364ea00e15f835cb9b81464b8b5cca583387cdf63578aafd6fdcc60ffbbd965447d361acc51d2ef0487aa458b7f9e536

Download Submit
C:\Windows\SysWOW64\Dlegeemh.exe

Filesize
448KB

MD5
92d83ed9bf56d88c392a3f96a4c5a063

SHA1
8efaaceb8e591a9d3c60045ae53e87998a997414

SHA256
6ed41e1cbae2e9de9cbd9c9315f3a1dc7337ebf0f25bfe546c56723f8b33a4b0

SHA512
b0eff730399642822ffda8471baa67bd14d09da6ea16a150820353b1ba824a5dbe0adcea7d0fe51662ebc828e107729ef759f1d38b82890051083cb16a44a70d

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
448KB

MD5
c37b767aec4ac8eec47f6917c4311f28

SHA1
837002e83d94ed521930d4117b5ff511f5dc4e55

SHA256
ec57d934d1ce07dcc224407a768c396a9cabdd4ae7505d39fb0fa0e8a9870983

SHA512
4469f610c5640ff91538c7688cf4662273368456b900df9a29703ebded4eab8fa04943b95b6284c9c74be16dd7e902890b2c5ace4e595533a58f39bcdc3112a6

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
448KB

MD5
41b00f210767b784d90fa59a57c3f10d

SHA1
d45be693c21bf0b1253ca279b3eea7f4aff4cdfa

SHA256
ce5712124c2e7bbba6f2191ff31f710ff2a41ad95ef85517a8c765cc934a8bbc

SHA512
20b19fc2d01f7c5f4dfe0a66003acce644c69f45e5021ad9d92380777e605e14f9a0a4b8d6fe5bee542b0f38f82bfb2ab521ff16a127ac57d95ea5c2e18f848c

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
448KB

MD5
d1502ba8103652b7be455f1b4ed20d26

SHA1
5628c2697fb5ac713fe5294ce00a153451e7a64e

SHA256
c9a1bf8e37cc36b78323ce2600f16f5bac0130bf5aefac5041d2e378cda9b4e0

SHA512
ef0ad666eb2ceca66b1fdcb85025314f090796ee425a0eeda9182147f9895ebab07ddf41e58d643e4cdc71f2ddb89de67356c6746b9a5bde8e5a616692c191e3

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
448KB

MD5
0d31dcd159c18f39f626d8797325ac68

SHA1
916a93be523d0781229e4299992e177023c33e9b

SHA256
5039156d882c8af03706e713836b9dd4084398da3213a6599a45aee4ca08384f

SHA512
cbe992179b914274fefd9a77dfc837d8038dfe4e2e5e693f47e2324adbecabb9c7d14111ba4ba76c914e6c1bb81e25433107dffcd3acb1c7a4ffcb81ef7d230b

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
448KB

MD5
63ac77b1e0365788436b4d96075851d9

SHA1
93da00b452d0972ce74268f272990d665360a235

SHA256
d933173fb4caa38ee55cabd26b04ce4db6fdfef07890b64b35ce8ff758fefef3

SHA512
2eca02d0f1bc61c5ab6c88878e9730b7915cb90ac39c6a304ea014dbfb0677dd6609d0915ce7572277ba8a1f316dad3d1d38b1d333e9d55155bd07fa6187b3ca

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
448KB

MD5
7bfa357ff2df6e11c61dea6de9f12345

SHA1
eb1e24bc850084503a1189446c9a885b343a34e3

SHA256
be73dedbc16b132f42926c1a822a66711b9e2a2a79e8c6c49257da3942fea07a

SHA512
9486ab77628f0f22901090873cf6fac095fb9426e80afa025f63036165027975c50ae1453f2ca883fee8a5522634d64c42db407ee6c6c5d6df385eafbafdaa19

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
448KB

MD5
8f99eb0b850e5e39258c9774e3acb035

SHA1
dac688f016f79e5513ad491a8b3d53f36804db67

SHA256
e1808143bb85956d0ab4bbd47a3eab1b72567418461b3238befef231370ca662

SHA512
c18368c52b35959e5ea902373b1af6132c520e865ce8a5d0f47786739d6267d854812b3d7afbb23d3ea7f3224c8f7da15490754503bcab3425b44c8e5a8688b3

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
448KB

MD5
2fb0f353ce0961a6193f08ab0fb0ac5f

SHA1
c694d80c08c34ebf4b82bf61021ff7176c9f6e33

SHA256
6a2cf5cea83da1a224f11f6de4bd293a59b3c2b8b671273851015055676df1c7

SHA512
c6afb256bf57467474501eda4a1c05f2be59ae796e7166b54b997670e559ed42d6a0c3f5832d8453f2b84d507d72cf90e1c4dfc3361db85a3fcc93ebe4d65ea5

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
448KB

MD5
1276f12aef1d0dd48608d1aef570ffca

SHA1
a18192917160b13f69a06d2b32d73c8391081c74

SHA256
50ad6fed40ea8b26bc12317089f4b0be1dede6439f7cf670f4ab2722f8a953ec

SHA512
0353f12c38febab81f1a4bec8f50a0b19a64f67cdec3212eed559e5e4d76f03d1a53cff2d100c0a2d1ebab353b7160cf3df917a6bdc814c13e90528c74a9ec82

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
448KB

MD5
8ac95e2846d249d59fa0ba8ede645722

SHA1
7a75d720211da8af59d749dd9a97b58c7d73df4c

SHA256
3cca92a1811c5ea3eac01ceb6546c05c03f8418810b3c27d42842f5047bec262

SHA512
722e9d873ec84b12578c97d9ed2cddae9b83c9e0071fdf4212de1f8e29e6e0dd6d7f4f77dd054bcdb7754e1e0268e2b0df85124240ca4d99c113b13d12710716

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
448KB

MD5
a4dad6ad400169013fa8c485bf54d9e2

SHA1
1301c8f2e2f330a664549e5e64c854ad59a56dbf

SHA256
db19091390e1bccf19162de4077e72c2a44df0de6b22c35122c50921d89637e0

SHA512
2c2b122dd19910c90e56f3dc70c3e945bb65eeb1a4e7bc5b4642e92c8c0cc8749eec9e965ec525841ad5923d791264cf7cc073a4371a058721030ee41cef3a1e

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
448KB

MD5
649b13d92851be1da2fd3abec156ba39

SHA1
40fbb97a1b21dfbaec257042a106a27dfa7d7719

SHA256
b8735abfd8ac9fb73222dca066eb29581a0645bceb4e29fca47682cf30e5293e

SHA512
d2981df9bd6a530d277cc00d1f31f073da20d4ce3b6107bb3a6a9771eb58caa6c43c31ba343f80800b250cbf8acf7270bdd653f8f343bdee873f30eead390096

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
448KB

MD5
b931fd69b20fd3e29f9c5e844065548b

SHA1
63d924ee51d298d6280157538e823a674ffa7e3d

SHA256
7aaffa9fa2b0e7f310cde6f88eb11ef165ae3e4c850d93e8e1689b3540ecd34e

SHA512
eedd9d5fae3808cbf835be40435f346e40e92be76ea50d3aa7d88dcd144bd8c20a00d493ad0fd4d994d010591213b30d8d978b5adce4b8a9d10bedad61804639

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
448KB

MD5
8aee3ac23c2ca0fef0d1db01cac838c9

SHA1
4303619786b19b17b123c2251008bf7e6afa1ef8

SHA256
63d456bacadae7d678021719bbf0463e58bcd30bc0a85b7eb13f5f549a8368de

SHA512
fe668dffb7975c78670eb8c68d604e4e63eb7183c15081cbae6aaa515db445bb92ebca6e60edebbb66b98579bb0edefdd486106f3149c1c488ad5d30bd0fc769

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
448KB

MD5
46abeca2bff5c4b0a14d170050b644c5

SHA1
eed05778f7140dd4849bbc597fb8536ad6fe54bd

SHA256
6f05e1b1e93baa46f70d9798805d3d8ec06b1e9db237927a2be4d1ff052add2e

SHA512
c66af2a864315ea0e6dc241c1c647ea78cadf8805a242e4b82974b1693de0058828e0b0af37f9b5edb759a23c49b927114ce7d56e684e6344d6f6113db1096f8

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
448KB

MD5
e3e5d19aa12fe8a3435c10dcb69f2360

SHA1
fff58525c556c11ea70f42ada376753a3ee82888

SHA256
adfb113e47867bfb876abbf3e23b5071d5513d01b077cefe460f0a12d80da26c

SHA512
1513ba7e6686fb717457ef3f717cec495c170c5245245f8bb0646bef944d975242056489fe8c52870550e3f9ee8954770afc9f7c2d4172b4e1f46f89c46aee28

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
448KB

MD5
f41ceca888411f4883cce08d26a3725b

SHA1
e1468fc19c63bf7036c58a870f0c46ef9aaf7497

SHA256
c48295257a9a95b8e04f0713973e983529152edc74eba51edc072988b84c2385

SHA512
7734bf0c096016ae4aa607d92ea5c956cf029bcf22b92d167c1259e3364f9783dcb33390f155df379ad803238db88f7bb7da863b671c7983ddf40a5c1594e053

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
448KB

MD5
2389bbe22314c2f9e5198c8eb3f303ec

SHA1
5fe0e86c7846e84596cd2a87cb2894f6623b952e

SHA256
60f8be608a642eac83154cec71e851837b44b9914e61ad007932a743f8d7e000

SHA512
31c8c49a6bba5c2497bf48c0628b7c71a602453899be84d5d9f461bdd17166f2d0242295c4ec579f1aec76ecc27d861e0ac7d5abb30f46f595d620832bcec046

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
448KB

MD5
47aa847889f01e94b37c21fa71a34ed6

SHA1
6268fd40b49d25a369aaebba3623e3d55b3812fa

SHA256
1b143dac4ccd1ad75100ac702c33dd83be085a70c3bf440116e71fde4680d00f

SHA512
5cfd37e36a13049a50a920e5cdd98f91272c753dadea52860b760050e03f60538eccf4a7a37b73a5b3a83818625b0eb248a24a7e5eb7c5b6dee252495019d3a2

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
448KB

MD5
94943ca848f33a171141d1e4ccfa281e

SHA1
d94a1a7588e38f1699d9f4e08209e776068476fe

SHA256
981449891865f556c1d13d57d71e3f1a0c38208a978cf0a0e7b1f9d077df30e0

SHA512
731d3a1ae63bb9a77709ebf06d30d2930bfab62b356a86ccbfa7fe92bb071739898d5828f88138e49df9ab51941ccf3a998550f7cb7c4f9b991635b1cada524e

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
448KB

MD5
d1ccb2e45fed0ca9533b201cc57fed6b

SHA1
8e14e9ca8386c4dc165776b15b861f54931460c4

SHA256
b509d1c46b45d9ffc31581f64dc1ee2d6c56205c3339c78b3bbe28db60fda37a

SHA512
9deaa38eb819806e55debf7894c4069194c33084b31c19f8d6d6632ef9840a4dfc882d44f89857922b9c3ed2a7b049d53d1da6da904b724bb970c48480a79d2a

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
448KB

MD5
cb49e2e2c083ba3f2fec73d344701c9d

SHA1
a50cc74514e273a45e4a823c64b90263a90009de

SHA256
a9f5df8cc6f6678fc6ce3b53d38e31c440238ee4bbbe82e96cdb19c3e5c0a8ba

SHA512
f5bb2d1032d7b49abed01c15e6bdc41d1a5b61bc13e3b43591be3fd702004660ea6db4f8fea9289c594cefa979fbea1333af5783060e871342a21c56cc92b97e

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
448KB

MD5
f0d6092ae250b1b04e2bd6a4a1cf570e

SHA1
4c06e7bfb1476ce2b1ff80c500ad4e325e9cc3de

SHA256
1cc528fcea1a64f7d303faf8e34ee3e240ad3bdf09fbc8d038792685b065d11b

SHA512
20c7c96c30371687d525b46f19a2535fbd74e9508239d7c879331c21ecae34b7c09f491622cf59647dea7067c141a2fb4e1198b7fb212e6de0baad64bcfb4cc4

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
448KB

MD5
94ac6487c7cab4a82d82fefa217501ec

SHA1
6b7a485e4f788e409d111cf7c858212ce20d7100

SHA256
c5835470c4545975e2cb604abc1f4b668c6d4a431276957380e3a0b582b640e7

SHA512
2dc4273020621e7ced5b698cb0a3de0173164fbae0dc4f33bc3e5e9103bfd0fe393cbcba7951534c24748f0605d14fabbc6034c6df1655f5186d4150d760dd96

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
448KB

MD5
75c448f8e1c9a8b0d397a39afb61f3ee

SHA1
a3cca2e697a2fabd4f26c044a18f085c6eb064ab

SHA256
3e1febc885b4c393e2bf127c1af65514368409e2d97e1702045a069f341a5970

SHA512
b69f5b3109522433de65b53e161df7b0340d0f77593ec07d8fc0911b694db044ab93981ba992b606612efd2611fb5c617ad1aebc59b024e5161f549539a2fd3b

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
448KB

MD5
7f88ced59be671979f0310172cd0e2c1

SHA1
a9632dc61afa35622a6ceb2176ae37bf7fd1fe2c

SHA256
06420c79a68e2a49d7c033ab4af8a90935352a93c0ba2a876a6769f3dd24490f

SHA512
d70962eb53eb05c198f2b0bd832a5ed6eb0aa48b8e51d1ee7e9bc70c3a808e25534a9a545e8f6691c01ebf0709b735772869f06feeb6d9d3e0964e209aa3dc10

Download Submit
C:\Windows\SysWOW64\Jfifijhb.dll

Filesize
7KB

MD5
bc75239294385b024634e577393d9c52

SHA1
c19938f2c1007b5be67dbe32e61c5dde9aabd0b4

SHA256
34b71f6da5876633f64d5d6a54e89ac14a98b0b0191ee34290cb82eb4bf57c35

SHA512
9934820d2cba4ca67906cb6d24a0a50e719b23b3fe5ac9151c96f1fd848e45ab7b6ddaa6ad927e0e0e4b91187870de5f9a72c633474217b7f8a6170310476cc1

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
448KB

MD5
8957b171e9a3dcbafd26822a9408c06b

SHA1
3edeb9a5161846bc68f44713430e1b9aa8a225b7

SHA256
94737a079f81d5f5c144f29da8bc508ead39069b6a1641b1aa296e7655ff02ee

SHA512
24afcea99608e2ebf1082a02b236f7dde3af2bc514429a757051834843c298171ccd54c3d565abc0a048178f894abd7f1489ed8cbd202c15d284c87ba3f0f356

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
448KB

MD5
db2941dccf113b5900acb7b20cba2f19

SHA1
3b7a8aef58d093e2bdc7895258adb6982985e47f

SHA256
b0b3cf3b5f1cc2a7549f7f4d0213a44e7f5c4bc5b612dc6c24a5cf75534dd535

SHA512
7906bb9c36816ed028f1d0ea783a5c8d3d2af879bf545916c27db1d335a43984c7c2d270c62aea151904ffdd9d34b3ea7e8c36a2bf7e5a9959ed4195b278dcf9

Download Submit
memory/60-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/464-337-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/768-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/816-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/856-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/956-74-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/972-319-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/984-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1232-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1336-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1588-325-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1612-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1660-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1672-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1848-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2004-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2196-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2312-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2580-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2912-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3012-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3056-172-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3092-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3236-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3240-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3292-363-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3296-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3424-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3580-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3616-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3620-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3728-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3912-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3936-132-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3992-305-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4068-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4112-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4132-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4180-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4216-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4228-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4292-447-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4304-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4344-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4364-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4396-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4416-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4428-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4472-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4504-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4636-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4772-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4800-303-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4840-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4868-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4980-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5020-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5036-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5104-178-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads