0cf4b650df843191b9dc086d6ffee1f41d6db707b9369540c48d2edf156df520

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cf4b650df843191b9dc086d6ffee1f41d6db707b9369540c48d2edf156df520.exe
Size

224KB
MD5

3b021e05a28810cfd8997a64692e701c
SHA1

8ebbfb32611357f50b73d592cb7d9015982d2fb3
SHA256

0cf4b650df843191b9dc086d6ffee1f41d6db707b9369540c48d2edf156df520
SHA512

37adfa3d990cc588031ca0cfc26f922efe02fd32d19175c92f6fbf5fbdac50cd15351b2a5a19458b652d775a206b383bca92b2f3f43c949f5153d6b9e13c04df
SSDEEP

3072:qTQN2/Nz+LESK3iVxgzL20WKFcp9jRV5C/8qy4p2Y7YWlt63cp9jRV5q:qTjNyYy/gzL2V4cpC0L4AY7YWT63cpq

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epopgbia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Debeijoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlojkddn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0cf4b650df843191b9dc086d6ffee1f41d6db707b9369540c48d2edf156df520.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Debeijoc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djpnohej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0cf4b650df843191b9dc086d6ffee1f41d6db707b9369540c48d2edf156df520.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikfip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebploj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eodlho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe

Executes dropped EXE 64 IoCs

pid	Process
4992	Debeijoc.exe
4420	Dphifcoi.exe
544	Dcfebonm.exe
4400	Djpnohej.exe
828	Dlojkddn.exe
3688	Dchbhn32.exe
1376	Elagacbk.exe
4904	Eoocmoao.exe
584	Efikji32.exe
400	Ehhgfdho.exe
2092	Epopgbia.exe
892	Ebploj32.exe
4964	Eleplc32.exe
3128	Eodlho32.exe
3488	Ecphimfb.exe
2940	Elhmablc.exe
4464	Ecbenm32.exe
2376	Efpajh32.exe
4072	Eqfeha32.exe
2616	Ecdbdl32.exe
4724	Ffbnph32.exe
2968	Fqhbmqqg.exe
4428	Fmocba32.exe
556	Fjcclf32.exe
920	Fmapha32.exe
2008	Fckhdk32.exe
4484	Ffjdqg32.exe
3532	Fihqmb32.exe
3228	Fobiilai.exe
3896	Fbqefhpm.exe
1532	Fijmbb32.exe
3960	Fmficqpc.exe
4672	Fodeolof.exe
3924	Gbcakg32.exe
4576	Gfnnlffc.exe
4776	Gjjjle32.exe
2116	Gqdbiofi.exe
4528	Gbenqg32.exe
4856	Gjlfbd32.exe
1300	Goiojk32.exe
3360	Giacca32.exe
4688	Gbjhlfhb.exe
2164	Gjapmdid.exe
5092	Gqkhjn32.exe
3468	Gbldaffp.exe
4960	Gjclbc32.exe
2200	Gmaioo32.exe
2548	Gppekj32.exe
4908	Hfjmgdlf.exe
4012	Hapaemll.exe
388	Hcnnaikp.exe
4512	Hbanme32.exe
3320	Hikfip32.exe
3976	Habnjm32.exe
4392	Hpenfjad.exe
4552	Hbckbepg.exe
4120	Hjjbcbqj.exe
1320	Hmioonpn.exe
3236	Hccglh32.exe
2296	Hpihai32.exe
1976	Hjolnb32.exe
792	Haidklda.exe
2812	Ipldfi32.exe
2088	Ibjqcd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Impepm32.exe	Iffmccbi.exe
File created	C:\Windows\SysWOW64\Jcgaen32.dll	Efpajh32.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bobgoedj.dll	Dchbhn32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ohcepmcb.dll	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Fodeolof.exe	Fmficqpc.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Hmioonpn.exe	Hjjbcbqj.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Jaedgjjd.exe	Iinlemia.exe
File created	C:\Windows\SysWOW64\Fobiilai.exe	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Egmhjb32.dll	Hapaemll.exe
File created	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Eodlho32.exe	Eleplc32.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ebploj32.exe	Epopgbia.exe
File opened for modification	C:\Windows\SysWOW64\Ecphimfb.exe	Eodlho32.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Jfjdddho.dll	Dcfebonm.exe
File created	C:\Windows\SysWOW64\Ogedoeae.dll	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Dlojkddn.exe	Djpnohej.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Habnjm32.exe
File opened for modification	C:\Windows\SysWOW64\Gbldaffp.exe	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Eleplc32.exe	Ebploj32.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Fmocba32.exe
File opened for modification	C:\Windows\SysWOW64\Hikfip32.exe	Hbanme32.exe
File created	C:\Windows\SysWOW64\Cniohj32.dll	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6720	6584	WerFault.exe	242

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbhbe32.dll"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fodeolof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmddeh32.dll"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epopgbia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elhmablc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogedoeae.dll"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofddb32.dll"	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cniohj32.dll"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll"	Fmapha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fckhdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfjdddho.dll"	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghekack.dll"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll"	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Impepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 4992	1768	0cf4b650df843191b9dc086d6ffee1f41d6db707b9369540c48d2edf156df520.exe	87
PID 1768 wrote to memory of 4992	1768	0cf4b650df843191b9dc086d6ffee1f41d6db707b9369540c48d2edf156df520.exe	87
PID 1768 wrote to memory of 4992	1768	0cf4b650df843191b9dc086d6ffee1f41d6db707b9369540c48d2edf156df520.exe	87
PID 4992 wrote to memory of 4420	4992	Debeijoc.exe	88
PID 4992 wrote to memory of 4420	4992	Debeijoc.exe	88
PID 4992 wrote to memory of 4420	4992	Debeijoc.exe	88
PID 4420 wrote to memory of 544	4420	Dphifcoi.exe	89
PID 4420 wrote to memory of 544	4420	Dphifcoi.exe	89
PID 4420 wrote to memory of 544	4420	Dphifcoi.exe	89
PID 544 wrote to memory of 4400	544	Dcfebonm.exe	90
PID 544 wrote to memory of 4400	544	Dcfebonm.exe	90
PID 544 wrote to memory of 4400	544	Dcfebonm.exe	90
PID 4400 wrote to memory of 828	4400	Djpnohej.exe	91
PID 4400 wrote to memory of 828	4400	Djpnohej.exe	91
PID 4400 wrote to memory of 828	4400	Djpnohej.exe	91
PID 828 wrote to memory of 3688	828	Dlojkddn.exe	92
PID 828 wrote to memory of 3688	828	Dlojkddn.exe	92
PID 828 wrote to memory of 3688	828	Dlojkddn.exe	92
PID 3688 wrote to memory of 1376	3688	Dchbhn32.exe	93
PID 3688 wrote to memory of 1376	3688	Dchbhn32.exe	93
PID 3688 wrote to memory of 1376	3688	Dchbhn32.exe	93
PID 1376 wrote to memory of 4904	1376	Elagacbk.exe	94
PID 1376 wrote to memory of 4904	1376	Elagacbk.exe	94
PID 1376 wrote to memory of 4904	1376	Elagacbk.exe	94
PID 4904 wrote to memory of 584	4904	Eoocmoao.exe	95
PID 4904 wrote to memory of 584	4904	Eoocmoao.exe	95
PID 4904 wrote to memory of 584	4904	Eoocmoao.exe	95
PID 584 wrote to memory of 400	584	Efikji32.exe	96
PID 584 wrote to memory of 400	584	Efikji32.exe	96
PID 584 wrote to memory of 400	584	Efikji32.exe	96
PID 400 wrote to memory of 2092	400	Ehhgfdho.exe	97
PID 400 wrote to memory of 2092	400	Ehhgfdho.exe	97
PID 400 wrote to memory of 2092	400	Ehhgfdho.exe	97
PID 2092 wrote to memory of 892	2092	Epopgbia.exe	98
PID 2092 wrote to memory of 892	2092	Epopgbia.exe	98
PID 2092 wrote to memory of 892	2092	Epopgbia.exe	98
PID 892 wrote to memory of 4964	892	Ebploj32.exe	99
PID 892 wrote to memory of 4964	892	Ebploj32.exe	99
PID 892 wrote to memory of 4964	892	Ebploj32.exe	99
PID 4964 wrote to memory of 3128	4964	Eleplc32.exe	100
PID 4964 wrote to memory of 3128	4964	Eleplc32.exe	100
PID 4964 wrote to memory of 3128	4964	Eleplc32.exe	100
PID 3128 wrote to memory of 3488	3128	Eodlho32.exe	101
PID 3128 wrote to memory of 3488	3128	Eodlho32.exe	101
PID 3128 wrote to memory of 3488	3128	Eodlho32.exe	101
PID 3488 wrote to memory of 2940	3488	Ecphimfb.exe	102
PID 3488 wrote to memory of 2940	3488	Ecphimfb.exe	102
PID 3488 wrote to memory of 2940	3488	Ecphimfb.exe	102
PID 2940 wrote to memory of 4464	2940	Elhmablc.exe	103
PID 2940 wrote to memory of 4464	2940	Elhmablc.exe	103
PID 2940 wrote to memory of 4464	2940	Elhmablc.exe	103
PID 4464 wrote to memory of 2376	4464	Ecbenm32.exe	104
PID 4464 wrote to memory of 2376	4464	Ecbenm32.exe	104
PID 4464 wrote to memory of 2376	4464	Ecbenm32.exe	104
PID 2376 wrote to memory of 4072	2376	Efpajh32.exe	105
PID 2376 wrote to memory of 4072	2376	Efpajh32.exe	105
PID 2376 wrote to memory of 4072	2376	Efpajh32.exe	105
PID 4072 wrote to memory of 2616	4072	Eqfeha32.exe	106
PID 4072 wrote to memory of 2616	4072	Eqfeha32.exe	106
PID 4072 wrote to memory of 2616	4072	Eqfeha32.exe	106
PID 2616 wrote to memory of 4724	2616	Ecdbdl32.exe	107
PID 2616 wrote to memory of 4724	2616	Ecdbdl32.exe	107
PID 2616 wrote to memory of 4724	2616	Ecdbdl32.exe	107
PID 4724 wrote to memory of 2968	4724	Ffbnph32.exe	108

C:\Users\Admin\AppData\Local\Temp\0cf4b650df843191b9dc086d6ffee1f41d6db707b9369540c48d2edf156df520.exe
"C:\Users\Admin\AppData\Local\Temp\0cf4b650df843191b9dc086d6ffee1f41d6db707b9369540c48d2edf156df520.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\Debeijoc.exe
  C:\Windows\system32\Debeijoc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\Dphifcoi.exe
    C:\Windows\system32\Dphifcoi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\SysWOW64\Dcfebonm.exe
      C:\Windows\system32\Dcfebonm.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        35⤵
        Executes dropped EXE
        
        PID:3924
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        37⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        38⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        40⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4688
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3468
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2200
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:388
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        62⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        63⤵
        Executes dropped EXE
        
        PID:792
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        66⤵
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        67⤵
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        68⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        69⤵
        
        PID:336
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        70⤵
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        71⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        72⤵
        
        PID:832
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        73⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4068
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4900
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        76⤵
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        78⤵
        Drops file in System32 directory
        
        PID:3168
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        80⤵
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3720
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4108
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        84⤵
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        85⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        86⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        87⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        88⤵
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        89⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        90⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        92⤵
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        93⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5512
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        95⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        98⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        99⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        100⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        101⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        102⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5896
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5976
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        106⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        107⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        108⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        109⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        110⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        112⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        117⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5216
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        124⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        125⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        126⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6036
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        130⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        131⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        132⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6084
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        134⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        136⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        137⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        138⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        139⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6184
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        142⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        143⤵
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        146⤵
        Drops file in System32 directory
        
        PID:6432
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        149⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 408
        150⤵
        Program crash
        
        PID:6720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6584 -ip 6584
1⤵
PID:6616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
224KB

MD5
73386bb7f8015fe74ad58f6ffe9d8db2

SHA1
535ca72b39c1a5694317d98f941312c6add04c39

SHA256
ba541cf30e789c1d0e61c56b68822f7c8b04af525714c45573a8c22b2cad1a9d

SHA512
28d0ca21f66fa04e0259e122a45cbc9ebb3208bdb7962ad0350028d362779ceee629cf91e061b4fce0decdb317714665df0a53a0fc5fe0f242bc6f2e1bf0c2b1

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
224KB

MD5
283c013790bd50978738119311433aa6

SHA1
ba12856294f555449ac7c388b7c306f53575a203

SHA256
4f30599e3ba526d1d0c224db8ea2c69d55d7fbb38b548a703e8849e76cff85bc

SHA512
f56d909aeee2ec2bb5107dad289a90fb89b3f4125618d13f16ffbcd28223343f4dad845b80f4d68722759e1dc7b184cb27c9c07d5e26fd223608e8f0dc0908a9

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
224KB

MD5
4cde98e3722ebe27af60e2402ac623c0

SHA1
60b11f595ce8e1ae93ea676b0f4c7277a21bd86e

SHA256
0c06fd08ca833e5cd65d49f81f8165f54473bd3b762326a52b1313ba6537ba55

SHA512
6bb14773a047e460462ce7d4d3a2be7cfb11805781b4f8611707a8becb904686b655c6f5698c148c209c43f83cc13e4ea9565760658ddba5edd6caffb6c76607

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
224KB

MD5
9f5e5be3b4e3533c7d461e9665c9c92e

SHA1
cd1d55956c6b804bffe66cd00b69e8292ccf2282

SHA256
37a478daefd2fc8318b3abb86c34f20005a8775f60c71a0ccf06b5afc3faf4a2

SHA512
ba7bd6bca3af5805332ffe4ab97e6206679127a62f2245ac06b9bb7f61ae032914b977886148022a89ce05f9c7cac486be97ca5bda2fcd86b5fadd04f09a9364

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
224KB

MD5
adeabedd67a5ffd8a60f1ec3cde59fdf

SHA1
4c3168176ebb7d0e22a948a882ecfccc0d2f4a0c

SHA256
026dd4562e6b5b6e08c1604163e542566e5e377d13888f5f9d018c50645a4e20

SHA512
ecb300b965ddba5f572a60ae1cf37debb273b3917f9abc2cdb060e422ebbb6fbc8f5eaca1ce1adfe627b332c3829b6e5bfecf29a58c6f6cc1fa091642f8718ce

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
224KB

MD5
409525262cf76391e5488194ad644e5e

SHA1
14eb79a3490a34437a73ef723668125621c2bbf7

SHA256
149db0df0a497a01d95fb93c00d46d7e4531b1a0bb802381f14aa77db563e029

SHA512
ec5ed7f02aa6f714b714d261716c8f557313aed2b591853e6404d7c1328ff26b07d8424fb101c76db84a6b60ef173c919a2d2eca5943d67690578d38e46fb01c

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
224KB

MD5
12de31e763d374bf9ceb8decd2e8f998

SHA1
30c54f5a455e7cc4e250a51f809b92623e27a261

SHA256
467c432ad4c447e3a0c6d0a2f618fce9254a95de85d5437420780a1d34e665b8

SHA512
19ceec7d454ecda1d079c17e1eaec61470c0426ce411e821a8bb77e379fff25a8b79006b14ed2ab807967c551ede50d551eb8e4a7c2552cfded944282f3c07a8

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
224KB

MD5
77157c409fa5b1fcdd6685b4bb9a23ce

SHA1
ea284d1784ad5facc029eb92ec6c782c9d0b7017

SHA256
660f62005e8edfd83b016312caece129eefd5012ac346223688630376b9dc7f1

SHA512
7bfa508379cd39a749cf0657f62be32c19192a3023b2e08fe16977468275c031a08a2dee48d98a0d0bd002b7aa421830edc4a2fbff5d6e1cd643c77578e4b265

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
224KB

MD5
42b02c8bab8a01c1a93de1c3cf57b461

SHA1
5cec0c253eca12b0646aeff2c054b2da2db5e088

SHA256
be3a23fc0e9dce1a6ee6604c21703420e7597203bfb253ef678f7746bff9b273

SHA512
8a4baf7c9b6f42c6cc70def3ca3a0d6c9ba791b47cb158b2469a7f96da5db8fa5243cf589cea317cef2bb863f27949dc090812800831eb77702562ecb860c45a

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
224KB

MD5
89fb41b1c0d8710d4ecd7a73693dc94a

SHA1
bf7ec2724d51a75a9476b12dbe0dd8704cc17830

SHA256
b011cfae2756d1932ee34508fbfd359bcbea68aa243f5f79bee4a5c54bb5c9dd

SHA512
1e45e412da1c20f0f552f78a091f03e21d919fad1e0e6e24423a51a8f4437ee7bfb76bf928f48e880ebe9aa397e058b02c7042367e634eb6b11b75a26a9c9761

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
224KB

MD5
3223b2fe45fd9a994de97b760af765c3

SHA1
f42529f488b8ad1cfbc55bd722b150424025fe43

SHA256
204f8dcf873118b033a5172913b21a9a3f0dfbaba4c98eeca47bd56da1599bd3

SHA512
e538c86fec94e59b442fe41485fb14af90823fc6d145e05d2be55654345eef442b0c719a262e77add120c95beefd8ef14a585474490c80576f3d9d91616adc7e

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
224KB

MD5
9fda5fd1f89596ad7844bef089979c15

SHA1
ae1408155b92a494470b2b7970c99986770483b7

SHA256
a1f72438bb1034307d9b7a8cfa93ffbbd6ccbc3aab70ca3d35703f3261e4874f

SHA512
5e7caaea4aed06e4772ec82bb1743a26cf178792efeee571892d988f94ff706851fb2a1a92b9ae8f0e413d14f4614824c896d5ffa85b338d98d0a4facd4103de

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
224KB

MD5
5ae6527bd80a0f77c4ae853e4256ad49

SHA1
aa80a868cf4a9700116a6acbe519f7dbc20386fe

SHA256
9b99027dbef8dc2c1335fc193791e4631e856b8370616d315fcc58cc54041c8b

SHA512
848d466644d5508a9e64e96759e96bdfb105340ace11f507b55c6268551bb622aec9bd74f708b25e72ece01e7b5397c431c52a542cc36269645e0ebce03bb426

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
224KB

MD5
7328c80173b0f15f42648d1ecdc9b67a

SHA1
3c1ecd1e5ea72e381a71ab393197833c5d650348

SHA256
6f4b9c9cad3eb10bae8bd903f3fb8582f436b2d98e8a4dce51c6058723db10e6

SHA512
627932bf2c7377ea705e3dbccf803244d0648823de43a06af310b03ae448fd5b306035ab17babb39ebefc190ce4b825193975c91d0fb3d46ffa94c5163a116e3

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
224KB

MD5
d8daee1a16e725255e17ffa423ae6b2f

SHA1
846b2b74c855c1f57fa9f6e8f14fdaa6150e448c

SHA256
54fcf747823bcbb30cd1fa2f8b8567c5e87006ef33cee6be257b68d752eed2de

SHA512
28636c2b2d4686a5a5994c6c3d64486f4f621ecc2246999818d6fe35c4e750e5afc2af23029cc01cb77c7b216ce80a32d6a49ee3376cbf06be28ce8675b1f769

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
224KB

MD5
6d33525c393d6d5ac1d3b4ba5b9b4ae5

SHA1
614e4d69a1435adc0de9e15a7cb8a0ecc5f8ac30

SHA256
28d953bbb85d836b14a0620129ffa327653681605c01c6950c9152f01d55d380

SHA512
d0650082a42d6c885b98b65e0e27015a5d8f776e3de379197f90a338811f5f55b6404f0bed7788a7ddf4f68ecc9d5741a61ad9e25e2f62b0a3a29a2863b89b93

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
224KB

MD5
183ec688a99f56337915799c6b5b147e

SHA1
97b61660f967291aa2a629df1b72e8cc61d53111

SHA256
8d1feeb7869c587bc88620777bdacfb6f3fe8ae31cf42ed0bfbebd3a05bf0fee

SHA512
e8dcf23b78d39409f4f0c402e3b6e40751de2c7823019006cf5df4d4fec787db9470652154ce6829bc78031e1fdacd025ad58221b7f3116dfda0a9eca9ed7ad2

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
224KB

MD5
d437f1d17d3befe469d873aa20b64bf2

SHA1
d140e1c14c8711e898d4340c616fefcaaba6bd6a

SHA256
7d7279e09f128563402f9fc8bf719e0224395a3e47f9bb3a293148970bb0f05c

SHA512
14cda97d35cdb5efce2ca384499cf304da719188a1ed5716e254b3bee683b2232c2f46735ed334425575fbaa556fd797f1a6c7f73a514e01f2638c0a1ec833f0

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
224KB

MD5
8712443f4fb6c650713f97f098541c7b

SHA1
0f1108e5c06c8a0d8d069a31a61ab5e8e9f07800

SHA256
9121e034dd63a56d966703b1891a88b79c963910b9a0627f8fe9aa35ce9bde5d

SHA512
fa58505898a6a7146cfff68b762f898f451bce80310e299297d148a6f1b05da860283a781f17a8a4d6ecb08e53d6821e5ba36c29329e023a227b0565d4c37c01

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
224KB

MD5
05f9a0376bd55d2e78b163d9889256ee

SHA1
b747d46f6b636f54e8cc1df0b8122f7d1c45ce6a

SHA256
1ecf14c2760339b7b94642acb0d4b556beccb4d97a5596dd9cb4cadbcb154109

SHA512
5e707c5bd4f56582def91c72c31f76ee1d1a32f789bf05867d60c9e5ba5d027f36ab603f75850b20dc17c53b49f3a08da871ef2f3ab45fdc57a309d91b2c80c0

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
224KB

MD5
70046864fa8aad9044beb7644f6dd022

SHA1
3a9332274c13b29a991a51699b440d2a220b041f

SHA256
63f27665afe28fe63682a586791ae8455dfb888e2d7953c3f7b56ef913899f88

SHA512
597cf4ee4ea0141d2e0b5ba5a518f8b2b92d8c9ed2894287e4362ec9e184327cd6e3af832c1fe422c0e86511b5a70c30848387f4256e01d1ea1920f8a94d4ff2

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
224KB

MD5
3a79ed1c56bd9eed675aef689dac74dd

SHA1
110917ef2073bf0ba28cfd507c8b94cae3267515

SHA256
973ef2578e76e42b6b989a17d570674a4d1c6ecaded3644308e5c6b9aecd8a02

SHA512
feb3dcb067a3a8e99351836062eafa64cb37561d9d6a1482edb79ccdc7ed4efd6ae9396c563104ca63e57f19aee62611842bab0dfd87983ac141cde78a07c8f4

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
224KB

MD5
cd64a0d672f21ac2e0f4adc507a98c94

SHA1
0806e4547f04153bfd72f780a7409a9bf26337b1

SHA256
ba9356880651083089da91bc8a25fa8afdb75867718cb32017d01c030a16b356

SHA512
5f5e679f9f21f3e23adcf8c4bee5bf779b3073f8631e98865f4a0ae040af1bd5c330a0bd10e49f88150cdc9e7867f2095fb57db875cc3bacfc64902b4f39c4be

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
224KB

MD5
d5b03b0e5098ad78f560c0d6a93a7199

SHA1
61c958e1b4ac9903bfa9de666195d8b52d8213e0

SHA256
92b8b5a29f40e31cc84ac5a402b7cb062ddaa07521e93a7b38d2cfed44d68753

SHA512
09dbc452cdbe2ed454b8cc2dc97ac182a9cded260c1ebf0bae5d7297e62defd601c004ad81063ca0f5f7d2810301ce56ef1c836b99653bfc4dab80acbd0772a7

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
128KB

MD5
007fce1ec971dabe56cb4d4b10c7dd05

SHA1
cd3657805988a2039136252ad58cbb23a264db75

SHA256
22d5d76f35ee19a564d75f7a585c328de78a687df3cc17e833cd2fb0d3d006f9

SHA512
fcc27a033d569c1d930485734a8004295c68563eb39411c7b638d141a1954b5b95337160c09d161aec8c0b1baaccebce480af00f989fc5d59aac888aff4c9422

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
224KB

MD5
2a376d57c90a3cc550d77110c0cfcacf

SHA1
50f78b7a7b3b323d59d32e1546c0ff6071b27c92

SHA256
7093d2e7653995bc3243f0dbf7c4041e2e8a9354fef67d2247f5b53c663e72ca

SHA512
890b9db3b7d47edf1838795bd8d49a7b9eb27d6b1be6546b2e70bf59a7d4cd06603b3da11eaf65f77eb7d552fc168da7ea4ed39506ed9ee9b2e7f87cc675a7b3

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
224KB

MD5
634db5bcb34be2dfb0bb6e2c9d7056a0

SHA1
fec54991afb8134b0b42ce3d5e159c47e568e0ec

SHA256
220f3ddc12c4d0dca1a7365c344e75d1980eba30b5d9cf95a1fb4c59ba8ee0ce

SHA512
2afbb7fc9d4f9fb3a6dbd6373a8350db45214ce72182a288904ad116d7ab8a95ad59f5cfd7dad207c3876fce81225c09bae96ad10fb78746413d39625edf6114

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
224KB

MD5
838bba32246c7e42ac56bb1f0c7071a0

SHA1
c21562bfbc971531f266d745c4deb04d791cb293

SHA256
1fdf0011cd02d098ccd0f8f1f51d20178d6da303505bfe42536d98a556d5d8c7

SHA512
a25cf73800b96b853dac9adae3f229ba22945cc6ef5952d4bdf740de3851f3e0ef6249361449b4977e6f53b1cee81b32c4b13b38c75fe923f0fea470eabfb4f2

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
224KB

MD5
96be9154d4f0f4b6e33fca764d0808e2

SHA1
77d21977fa36ed9644bba6c30f81b788f9f300bc

SHA256
ac62fabd7c2c195fd1cbe04fb6403d6735b8f540e6a2c4c5008752ffd6912898

SHA512
87f01fcf3f9fc44db1fbdedea65661cc7285232eb296b8936bb65af5a5c11a2563e4b1d7e096dcdb3cb113149391f59499c68bd73767aac9647f86d6bfa6537d

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
224KB

MD5
5816b3049e9b9ff5a53e6670629eced7

SHA1
3d8cc9148f53dba2c17d18ac2aa092586bfca826

SHA256
741abfa33bec6be44c8bd0a3a0f4d42a61f8b920a15088f2a238da8c3e12d8f4

SHA512
ccc5fd40bca1366d49b0ce0dfd97ddfdbcd890a24b9cefe24ecd651f14b672306746563e0e820c27daf7472b292dd8b695fdf24a66283ce0e10832e729cb2892

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
224KB

MD5
efaf83b8ae9c7d10a6c54cee74ee0e9f

SHA1
b52edde3a4bdca5e15fec18cceef5ed2d8ced3df

SHA256
394c6dd6baea358760ca59f1aa681990b4b5feced006634b88fc78631eeb4678

SHA512
984571aab7b5ec3c191217549bfe3c3c1ba85a9e2afca827c54a162a4c0dedf3316c7ffbf0b3f568186cd33f464d618af56050082f3d102bfb9b161b06914234

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
224KB

MD5
cb6d07a11d798b9e4a09480fa31d92bd

SHA1
6ddf4d55f38133ffb6208f819a1728aa76249c28

SHA256
51a7e5980c090d054feead5eb0f0d7cf5cb77788cdd73ceb20488228ee1c29a3

SHA512
d1c362e38f6a5b91a8273b2942e8b69b033d7ea192a43ba65067d6ffc19d2a98639ba738361efa50569ad5756539732d727f1fa729381afb5e23b29351f4d4fc

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
224KB

MD5
26afeff71cf99c386294d759cdcf566f

SHA1
f5672469c042c85ce5287ea95811956d62f3531c

SHA256
63bd06c4cd84d7f75a5fc56caed13454b7c27e85d58433e807a4279eed449b6e

SHA512
b3960f7fe7128dc562849bee815e19225f1c6a6cd0b8443bfd290766c4e2dac0462454a28d5862d1c22e834dbd29d778c96d8d90ec7fd924f0af95919e450836

Download Submit
C:\Windows\SysWOW64\Hccglh32.exe

Filesize
224KB

MD5
d852ad414407ec6657d0627c2726446c

SHA1
2ca3a4d5e972c40c57677e04970c8cbdcdaf5e9f

SHA256
df61f8521070cb1cad66b94ba09540c5f018e73a7b3d0a18d316af9d519662cf

SHA512
df44848ca51907d77a5fde2fbf8e0831b4ef78b6b24b8316a9e77f11aeb1a769698e18acfa004f80efbdd2e06d16fd7e515c6d2e2446e65553260cd86424448e

Download Submit
C:\Windows\SysWOW64\Hikfip32.exe

Filesize
224KB

MD5
d99bef1f54cd446d96add204ce65cab8

SHA1
08e65c7b5b9282cb093bbaec66a374033663b6b1

SHA256
20548b099f743b7c4ed11249de7d99e2c3d70ad4d224ccc0898f432e287e8cb2

SHA512
070d44cf46bba07b02f7c5f6e4a22103c582c4655971b92bc055988491218a7da5be89e3736d3b667646f40800e1e4cf858f680c68874bec82665326d27378e8

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
224KB

MD5
1625c7c51d3e03756ef45f19111fca89

SHA1
907a52f47acd79a3e55f6b567a0e69215f065684

SHA256
dbe205bbce16c63e617f339f5f7ccb8d31ddf8d1a201db1a62c89611d8411204

SHA512
3374bad377175c403b9e6ffd8222934547a0457fab7c8491d24c53f7b919f546f1192cf5e03b4882711f9e53c4a3bb7e2bcebd15587624c351dae2f73cae6403

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
224KB

MD5
b24cdd441095aeb3ef5034d5df6632fd

SHA1
f811e21bfe701b1577201c0c8ab15b8e1067ec32

SHA256
504cf81f5002adf54f8e934732144664bceb22761073157af923340cede9840f

SHA512
6ca975949f16f702c34ab2cc9301b564830e1e5509a04ac7952670cba0ac232ca9b6ed0e1f884fd8d4f64dc75cc1ed7b492141468c04343fced74275ae43da5e

Download Submit
C:\Windows\SysWOW64\Jmkdlkph.exe

Filesize
224KB

MD5
b0f0d8e40752088a559f733aeb509399

SHA1
ec9480fb42c3abaa20d4ada95e7170f7a9528150

SHA256
3f3090ca1621f1abbdf01f964b2bc739b39f00b746a3614fe2743e8b27188811

SHA512
76916b0ad5ef1f926e1fa1c0e4314bfff8bc3a783d0c00ca66d2f058f3c1110e99c3bd9cccd5dbcff8a7aa14bb69af5c2ef6ef9d2ec60e18d1475067641139af

Download Submit
memory/400-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/400-222-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/544-29-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/556-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/584-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/584-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/828-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/828-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/892-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/920-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/920-209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1300-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1376-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1376-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1532-287-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1768-6-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1768-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2008-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2092-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2116-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2164-336-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-365-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2376-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2616-169-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2968-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3128-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3128-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3228-250-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3360-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3468-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-123-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3532-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3688-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3688-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3896-258-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3924-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3960-295-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4072-164-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4400-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4400-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4420-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4420-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4428-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4464-156-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4484-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4576-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4672-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4688-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4724-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4776-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4856-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4904-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-372-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4960-354-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4964-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-93-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5092-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads