4c9bd40fded019af0bf8b91e11360b89883ac2c0cec266be44d21ec98c29bdd0

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c9bd40fded019af0bf8b91e11360b89883ac2c0cec266be44d21ec98c29bdd0.exe
Size

199KB
MD5

deb996197e8be2dedaf4b807d78bbc87
SHA1

d09b8bed271b0b59e161f44614be30351b3e923d
SHA256

4c9bd40fded019af0bf8b91e11360b89883ac2c0cec266be44d21ec98c29bdd0
SHA512

b9d858176b612c5d582b81db8335dd5c3e20fbc7f23bdfecc9ff0f148a9ee24d511229038c64dc4cb6d4b37efe1d4fb658800916cb8b51d91604960296b8d09d
SSDEEP

6144:HK7pQedwgB/eOSZSCZj81+jq4peBK034YOmFz1h:HK7hdwgB/2ZSCG1+jheBbOmFxh

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4c9bd40fded019af0bf8b91e11360b89883ac2c0cec266be44d21ec98c29bdd0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dllmfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dljqpd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4c9bd40fded019af0bf8b91e11360b89883ac2c0cec266be44d21ec98c29bdd0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlojkddn.exe

Executes dropped EXE 64 IoCs

pid	Process
2212	Djlddi32.exe
2816	Dljqpd32.exe
4364	Dohmlp32.exe
4552	Debeijoc.exe
220	Dhqaefng.exe
2424	Dllmfd32.exe
3688	Dokjbp32.exe
3092	Dcfebonm.exe
2972	Daifnk32.exe
1572	Dlojkddn.exe
2304	Dakbckbe.exe
1412	Ejbkehcg.exe
892	Ehekqe32.exe
808	Eckonn32.exe
2592	Ehhgfdho.exe
4404	Epopgbia.exe
3136	Ebploj32.exe
2184	Ejgdpg32.exe
4736	Ecphimfb.exe
2004	Efneehef.exe
3508	Elhmablc.exe
3468	Ecbenm32.exe
2504	Ehonfc32.exe
2200	Eqfeha32.exe
3856	Fjnjqfij.exe
4228	Fokbim32.exe
2156	Ficgacna.exe
1832	Ffggkgmk.exe
3544	Fifdgblo.exe
3228	Fckhdk32.exe
1248	Fihqmb32.exe
3536	Fmclmabe.exe
3180	Fcnejk32.exe
4616	Fflaff32.exe
4248	Fjhmgeao.exe
4904	Fqaeco32.exe
2976	Gcpapkgp.exe
2328	Gjjjle32.exe
2092	Gqdbiofi.exe
4120	Gfqjafdq.exe
4728	Giofnacd.exe
2192	Goiojk32.exe
4856	Gbgkfg32.exe
3672	Gjocgdkg.exe
3232	Gmmocpjk.exe
4724	Gfedle32.exe
1192	Gidphq32.exe
2444	Gcidfi32.exe
4036	Gjclbc32.exe
3204	Gmaioo32.exe
2456	Gameonno.exe
768	Hclakimb.exe
3416	Hfjmgdlf.exe
3088	Hmdedo32.exe
4704	Hpbaqj32.exe
3704	Hcnnaikp.exe
3388	Hfljmdjc.exe
3976	Hmfbjnbp.exe
3376	Habnjm32.exe
4252	Hbckbepg.exe
4432	Himcoo32.exe
4236	Hadkpm32.exe
5108	Hbeghene.exe
5092	Hippdo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Eeopdi32.dll	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Omfnojog.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jangmibi.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Fcnejk32.exe	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hippdo32.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Iapjlk32.exe	Iiibkn32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Fbkmec32.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Ficgacna.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Dhqaefng.exe	Debeijoc.exe
File created	C:\Windows\SysWOW64\Iebapp32.dll	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Jcgaen32.dll	Ehonfc32.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gidphq32.exe
File created	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Ejbkehcg.exe	Dakbckbe.exe
File created	C:\Windows\SysWOW64\Fdcfcpdf.dll	Elhmablc.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Lfmona32.dll	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Ibadbaha.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Daifnk32.exe	Dcfebonm.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jagqlj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7104	6972	WerFault.exe	259

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlojkddn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmmocpjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehhgfdho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dljqpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcfebonm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pckgbakk.dll"	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbpcko.dll"	Ecphimfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dokjbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlojkddn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiagblgj.dll"	Dakbckbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejkjg32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omccgkde.dll"	Dohmlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejbkehcg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2212	2252	4c9bd40fded019af0bf8b91e11360b89883ac2c0cec266be44d21ec98c29bdd0.exe	87
PID 2252 wrote to memory of 2212	2252	4c9bd40fded019af0bf8b91e11360b89883ac2c0cec266be44d21ec98c29bdd0.exe	87
PID 2252 wrote to memory of 2212	2252	4c9bd40fded019af0bf8b91e11360b89883ac2c0cec266be44d21ec98c29bdd0.exe	87
PID 2212 wrote to memory of 2816	2212	Djlddi32.exe	88
PID 2212 wrote to memory of 2816	2212	Djlddi32.exe	88
PID 2212 wrote to memory of 2816	2212	Djlddi32.exe	88
PID 2816 wrote to memory of 4364	2816	Dljqpd32.exe	89
PID 2816 wrote to memory of 4364	2816	Dljqpd32.exe	89
PID 2816 wrote to memory of 4364	2816	Dljqpd32.exe	89
PID 4364 wrote to memory of 4552	4364	Dohmlp32.exe	90
PID 4364 wrote to memory of 4552	4364	Dohmlp32.exe	90
PID 4364 wrote to memory of 4552	4364	Dohmlp32.exe	90
PID 4552 wrote to memory of 220	4552	Debeijoc.exe	91
PID 4552 wrote to memory of 220	4552	Debeijoc.exe	91
PID 4552 wrote to memory of 220	4552	Debeijoc.exe	91
PID 220 wrote to memory of 2424	220	Dhqaefng.exe	92
PID 220 wrote to memory of 2424	220	Dhqaefng.exe	92
PID 220 wrote to memory of 2424	220	Dhqaefng.exe	92
PID 2424 wrote to memory of 3688	2424	Dllmfd32.exe	93
PID 2424 wrote to memory of 3688	2424	Dllmfd32.exe	93
PID 2424 wrote to memory of 3688	2424	Dllmfd32.exe	93
PID 3688 wrote to memory of 3092	3688	Dokjbp32.exe	94
PID 3688 wrote to memory of 3092	3688	Dokjbp32.exe	94
PID 3688 wrote to memory of 3092	3688	Dokjbp32.exe	94
PID 3092 wrote to memory of 2972	3092	Dcfebonm.exe	95
PID 3092 wrote to memory of 2972	3092	Dcfebonm.exe	95
PID 3092 wrote to memory of 2972	3092	Dcfebonm.exe	95
PID 2972 wrote to memory of 1572	2972	Daifnk32.exe	96
PID 2972 wrote to memory of 1572	2972	Daifnk32.exe	96
PID 2972 wrote to memory of 1572	2972	Daifnk32.exe	96
PID 1572 wrote to memory of 2304	1572	Dlojkddn.exe	97
PID 1572 wrote to memory of 2304	1572	Dlojkddn.exe	97
PID 1572 wrote to memory of 2304	1572	Dlojkddn.exe	97
PID 2304 wrote to memory of 1412	2304	Dakbckbe.exe	98
PID 2304 wrote to memory of 1412	2304	Dakbckbe.exe	98
PID 2304 wrote to memory of 1412	2304	Dakbckbe.exe	98
PID 1412 wrote to memory of 892	1412	Ejbkehcg.exe	99
PID 1412 wrote to memory of 892	1412	Ejbkehcg.exe	99
PID 1412 wrote to memory of 892	1412	Ejbkehcg.exe	99
PID 892 wrote to memory of 808	892	Ehekqe32.exe	100
PID 892 wrote to memory of 808	892	Ehekqe32.exe	100
PID 892 wrote to memory of 808	892	Ehekqe32.exe	100
PID 808 wrote to memory of 2592	808	Eckonn32.exe	101
PID 808 wrote to memory of 2592	808	Eckonn32.exe	101
PID 808 wrote to memory of 2592	808	Eckonn32.exe	101
PID 2592 wrote to memory of 4404	2592	Ehhgfdho.exe	102
PID 2592 wrote to memory of 4404	2592	Ehhgfdho.exe	102
PID 2592 wrote to memory of 4404	2592	Ehhgfdho.exe	102
PID 4404 wrote to memory of 3136	4404	Epopgbia.exe	103
PID 4404 wrote to memory of 3136	4404	Epopgbia.exe	103
PID 4404 wrote to memory of 3136	4404	Epopgbia.exe	103
PID 3136 wrote to memory of 2184	3136	Ebploj32.exe	104
PID 3136 wrote to memory of 2184	3136	Ebploj32.exe	104
PID 3136 wrote to memory of 2184	3136	Ebploj32.exe	104
PID 2184 wrote to memory of 4736	2184	Ejgdpg32.exe	105
PID 2184 wrote to memory of 4736	2184	Ejgdpg32.exe	105
PID 2184 wrote to memory of 4736	2184	Ejgdpg32.exe	105
PID 4736 wrote to memory of 2004	4736	Ecphimfb.exe	106
PID 4736 wrote to memory of 2004	4736	Ecphimfb.exe	106
PID 4736 wrote to memory of 2004	4736	Ecphimfb.exe	106
PID 2004 wrote to memory of 3508	2004	Efneehef.exe	107
PID 2004 wrote to memory of 3508	2004	Efneehef.exe	107
PID 2004 wrote to memory of 3508	2004	Efneehef.exe	107
PID 3508 wrote to memory of 3468	3508	Elhmablc.exe	108

C:\Users\Admin\AppData\Local\Temp\4c9bd40fded019af0bf8b91e11360b89883ac2c0cec266be44d21ec98c29bdd0.exe
"C:\Users\Admin\AppData\Local\Temp\4c9bd40fded019af0bf8b91e11360b89883ac2c0cec266be44d21ec98c29bdd0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\Djlddi32.exe
  C:\Windows\system32\Djlddi32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\Dljqpd32.exe
    C:\Windows\system32\Dljqpd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\Dohmlp32.exe
      C:\Windows\system32\Dohmlp32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Windows\SysWOW64\Debeijoc.exe
        
        C:\Windows\system32\Debeijoc.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4552
      - C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Dllmfd32.exe
        
        C:\Windows\system32\Dllmfd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Dokjbp32.exe
        
        C:\Windows\system32\Dokjbp32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        25⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3856
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2156
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        29⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3544
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        31⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        34⤵
        Executes dropped EXE
        
        PID:3180
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        35⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        36⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        42⤵
        Executes dropped EXE
        
        PID:4728
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        44⤵
        Executes dropped EXE
        
        PID:4856
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        45⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        49⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        52⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        54⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3704
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        60⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        63⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2568
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        68⤵
        Drops file in System32 directory
        
        PID:792
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        69⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        70⤵
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:412
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        72⤵
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        73⤵
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1976
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        76⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        79⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        80⤵
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        81⤵
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        82⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        83⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        84⤵
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        85⤵
        Drops file in System32 directory
        
        PID:952
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        86⤵
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        87⤵
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        88⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        89⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        91⤵
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        92⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        93⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        101⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        103⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        104⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        106⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        107⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        108⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        109⤵
        Drops file in System32 directory
        
        PID:6064
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1532
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        112⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        115⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        118⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5700
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        121⤵
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        123⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        126⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        127⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        129⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        130⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5620
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        132⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5856
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5976
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        139⤵
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        141⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        142⤵
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        144⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        145⤵
        Drops file in System32 directory
        
        PID:5832
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2832
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        147⤵
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        148⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        149⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        151⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6276
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6320
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        155⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        156⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6448
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        158⤵
        Modifies registry class
        
        PID:6488
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6544
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        160⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        161⤵
        Modifies registry class
        
        PID:6640
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        162⤵
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        164⤵
        Drops file in System32 directory
        
        PID:6768
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        165⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        166⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        167⤵
        Drops file in System32 directory
        
        PID:6896
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        168⤵
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        169⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 408
        170⤵
        Program crash
        
        PID:7104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6972 -ip 6972
1⤵
PID:7060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
199KB

MD5
12aef153b03e2db256cf54041da88042

SHA1
2ff13fa7b119f175a253233756cf963dde7e57be

SHA256
ecab054ff3c787f7a7d8b7f6d63950c984821d2f3778a4acb262b36066dc2c2b

SHA512
684c5bdb89477389c4557008537287b02b92c24d685dc1a6ea7cb000763dff9ec14ecf1f2dbf3ac78d1cb3ca76d608cfa9264e14d7f83da807c0ec642213ec2e

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
199KB

MD5
6b54a9433e5fdf2a7fdad1a07d9839c1

SHA1
a5bed1567d3b20db5b177827005d1d1de4c3e27e

SHA256
832896f63a092056b97eb4e077eee6dd6cb46ef690ac7bba50a5c38348c68246

SHA512
42979b3af946572dbed922f0b4ea3ee4e328bc56684f0bf2f19db0f4db91539d09bbdc74ec9467e1995ece69155b81b178e70198100e1a4717c664282d35deed

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
199KB

MD5
b62c4e70efca2a8dfeb1e8d54f0332ae

SHA1
5f42ca8e003e284dd3b3aec21d09b03a40a7dd60

SHA256
afaceef2f26b031f97d7e7b42e7f85c288abfd35a9ad2ff214864c410684438e

SHA512
a73027eee899bab59dddb0b1332a6d1f5227b6e76f440566effad2c01a66b6944a2dfc15e8466c32133ee5753329e37f5189f707ba02e3b445c9316b40cc26da

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
199KB

MD5
d3305f9217e4708ad4bb6eeaef24d966

SHA1
08f9d6168a2f575b03ebd86a27f677d3aac4dda7

SHA256
07e3895c399422547d54ac6459e7262b70c5669c0e846663fb40ee7b08ab0dea

SHA512
278eb9bd04d3e98165d688fab3cd11586d4257e60f26eb9753520dd001de74a41c4b092721f24a2210c5828357c9e836f269cd54962b1d7ca0726503b9963220

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
199KB

MD5
4bf71673fe4a8e9cbba2738af1e9f9ae

SHA1
bccba3948210945437224593f7191262de5fafd8

SHA256
d8c0f7fca8a9fddc8a239324fe6f0332cfa7a991e5276fd019283279927439a7

SHA512
700e5326eca66c780bd399e5a226e9bd2873a3a1a81f332088391c0e09bb25835ea8e3a3a8c3659ded468b772bb76347f6bd855c2f16b2f3613e95ca90630e87

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
199KB

MD5
2befe9b20a57610e3afa7d8f4240b60a

SHA1
acb00faaa94d74e11c7d377a38735f081c704536

SHA256
547e49a834b2c3289cc526f005c9f18f0c01cfecd7bad001bac33e59cf98968e

SHA512
724e18a54aba5ff0b32550786467cd5eb7780f67d651c7bc571dcb9ba823d7e2645d276c7c39b25275bd76750760c13415df07e30628e68c8ae4c64841dd777d

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
199KB

MD5
f7c3e0aa3ce5338db69b568ff5dd40d6

SHA1
ac53270c18adced747fe16e5f8a6febe633cb2d3

SHA256
2079bf2000f7022432d700f4df989bc1b0151ad3465195739fb34958c51d7417

SHA512
df4e00ecf8ed9457ee10f7fe7a11b5dcc106d64d0d94b849348e8c26b48639ba604364294f267ead2a29341fa0fbf85f13aed0b370e39c5c74b5bfafdd361b7a

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
199KB

MD5
f6a9b7dedf5b1729cd60d68cf7381228

SHA1
31ad6887e04110121832336e6fbebe0375c38c82

SHA256
250dd6624e82a04e11640381d3b3a443a357397a86aa29b063afcc64a85fdbf7

SHA512
438a09bbaa09fe35cb5110e3124531f8b1d711e299cc11311effefdb9e988d6c83e8a273ca62bd5ec2dde90b16cd84d409374a658b3745df29056edfa4d22110

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
199KB

MD5
8b8b9d7f4d614ff815e203ff293c18ba

SHA1
598634ad09892ac92d9d242c9e15029db93b72c6

SHA256
50428972fb9f3ba500a6cb04557f7aa938261fa2d6b00fe21225ec6c75f9ebb4

SHA512
22f3a157dc11697e13859630b20afed91a733521be0b8d36b40e591d7067c5b1859ccbe906aac19948c113e7e6d9de76c810c5d38f73b4b337c04cabf95c07f3

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
199KB

MD5
120f856da979b9fc8451eff511958377

SHA1
60a7a882ae72139aa1400904bc3bb5073e4ed593

SHA256
853da9530a1e064014d1fb6aec4a7c6b2bae490ffafe252f28a32834727a48b1

SHA512
262cd8f81d60e54d3aedd709b96f27cb3d1cc58a05e33daa83e7620a22af72b1a59dc2e7206a815ad6d4dfb197a7cde16c9983a414a52cc4a8af019b5786333e

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
199KB

MD5
31c9aa571c14552ca302158eff447d78

SHA1
54e7880d2e09ffbb7af3fea386c81d74e339b8e8

SHA256
4f741ae736f5a94ec1dbb803d3ce130c3a84faf591a67a8fb1837ec866041611

SHA512
1bdd1008211b58994d2e1492713f3283e020dd8d02c5c2754361ff7f5a4e50f2f0cc7da460584a863a8100b2ef72d4b0685636a82c72dad51d3577c13f541d4e

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
199KB

MD5
857f20edbb93da11eecd592c4fdc1fb8

SHA1
241ef69fda19b0108d4b9dfb47fbc028b6afcaa1

SHA256
cfaa1128b3728de140ba7e645738a8d215c8d720da0d3440146b75b9227496cb

SHA512
cff153da3bf28554a1a2ea3288f33eba8f3d14503a4a51ecafdd11890d6e55fac453e35a5501f151d1839ea465b46fff8a5122c5522592aaa9368d78fe8b9229

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
199KB

MD5
7487d8dd2af603caecb8dda2d8ad1144

SHA1
2aa0543d296ba3c047120e0cb0c1a6f447084830

SHA256
ab7cb6dc88388903e9a2d3ae25098a38eb53150e8fddc0f65525ed41b910a65c

SHA512
44b9d76e7a9e87abf1f5d627997d58ccb680582d8796045a1a4739d9c48b2884c263ab677e698fa44b030b76546ebda3aee91d8ad4264261461824988a5de3e6

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
199KB

MD5
baa01ac4049a468b2cd818971862ff8c

SHA1
3b64a0d74552b5e6d133446c3761bc7a8262a909

SHA256
a3a64f044f0c826acfa407e39f77510ec963d3975b8f249554c6ffbb48e5e0e2

SHA512
6960194793e35c8c108d33e05a9574d9293d8ca64f41ccbf04d0e5bca6bfc2aa348bc142b31bd86573362fab8fd9a8587049a6d14d450d5ce15f448ad61a6d55

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
199KB

MD5
da1af36cce7d8098ff5eabc7afebc4fa

SHA1
627b508153ad9866808737a260ae374570d7d358

SHA256
180956b53b68439729f7c009d9175138e25af5955a6b51bf764fa9b5dc9ad389

SHA512
89ead342c8cb93e96a28888236a2159a1e2939d99a23c2e1011919ec3187ae92588da2739552839cf5301cf84dc565ddd3523aa27a22cee8984d554fae74270f

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
199KB

MD5
3a3a84500c223f43fd5e71e67fc7f6ab

SHA1
53da368a4c85f747371cb0166402d27b4a2b6cca

SHA256
28f572c25aa59670cf7bf8e38c707c8dae75500cc98f16de344a36e4ed8e78dc

SHA512
d32f0697d9fdbbdc0525f8eb3bea572115d7569c927321cc4540d583fef85839e1bb55c86b26504d812bd2d6dd4775626384f7a931cbfa4a8ae35c0ad7887e66

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
199KB

MD5
f3d02ba8a4fdd2c756440994f17da858

SHA1
0ae6975a08183aed268bcf14a1a1225fc801cea8

SHA256
7213a244e634a71279b92b95fdc3b050ef29e14a78aa1c26d924d5db2da4e8a1

SHA512
3656fccd865344aa7fbf662aa059441ad76120f1a35c83bc480f19524f4936cba913e16c8cc512076bdd61b831e6be6ce702ff93388ce2a9c4d863e7a6c3e4c4

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
199KB

MD5
bf9d37d890a56aaf7535f93147704621

SHA1
a46e481b4f90d0c1b9259859c98771bb6184a3c8

SHA256
df05553b066988db0db99459534e83ec41c44ecfeba2e09a66b32aaf3116f16d

SHA512
cdca5f7a6bd5d9029d2f78cd35ebbcde15809503d94360b5a60ee31d25ea03af292f17b8bf2d298c645e599cdfd4f4e90aab286b84060b2fc969e271553ccc15

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
199KB

MD5
666000716e4aaf5ebd61acb3f3f96dd9

SHA1
1d676bbd5197bac8c50f3363fdebd2525db2951e

SHA256
4f680cc0901cf192889611aa7dd478e1c37fc37347eb59194275a51a73d3c352

SHA512
e00c95b887d8bef179c1421f3730978fe90ad25f3b77435739a28fdb380c7ae42f8093bf6f9d53c72737ac5d5d667b778639e73b1f4d1cb7687782808fa52937

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
199KB

MD5
515ebd1c0493bca7722e937a67e1bcf0

SHA1
c08e27e4746cf210ada25e4f27f39f9a9298e221

SHA256
57d0e37c1fbb60d85b2a7d8f1f0605cc7fe4051231b1b3d5c020a5592123d4f7

SHA512
74ddb473af2e94f5feaba61ef127af3b6b8d2d2565bae8b36d038b98da230088793d3ebf296989f4ff56bc71de942f4d1bab03cfafed5a9e79dc54f66ce83181

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
199KB

MD5
075b3d009347aa4ea4fe70c0061771ab

SHA1
5c4eb52e43dac66a614ca37bc7e147b85a7d49ca

SHA256
57a6744816fb3ab59240b7044419b61127365ba86ea76a84f8a236247c9ffed5

SHA512
0cdea5c0949704afa0b70b272233d2558b908a8176317aed802c1c4a144bf5c94bfb9dd6ed4b2559d8c4669a5728967a4c393c803d84eaae7c8d6efbab45c98b

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
199KB

MD5
5972299b008d4a153d9da88e3c87fcb5

SHA1
a16c3a04cc12d1896d4c7f6809205e108522b8fb

SHA256
40b20014cfb6c3132fba267bdac247acd016cf2d0988f85c2a3d2d00f90d7331

SHA512
ef7d4a1c612c7d14135f342062fbf202d51b0ae40cf8a791de47b6254552ffb09f96bc6a46baf9be2232f3d252830ea067f54d029b42532688b2a0745254752f

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
199KB

MD5
fe4d3cc603f1cdf0caff8e1472328f60

SHA1
5b55e800f2ff21f71dfac7991ea5e1bd8d2b9371

SHA256
4069023dc5724c2b3004b5a50c0015e9f9189a701a5322b2652061a68e0b6b17

SHA512
2f49960169470fa819cce49826c4006e623244589d75d2111698c81fb69c1889d0d7a17d41a160187b976d2ab16a3e03eb561c2d5c263d221b8bbdc5f5700c7e

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
199KB

MD5
0c25cae9495b0c8cce556574be276a2f

SHA1
2111a08785b6efc233e94e80194d4b3db6bea721

SHA256
79f7505d6e0888a731134c59b16cc6a8cea6dc40d9e375f406213d2d886570ce

SHA512
6b228b680a9bd38d3466910e7cd6f0737625af3f94e2544f065d9f0539472392c70a21c5760c61e441e63e76e869a6a3644cec503104285ac41032656785be27

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
199KB

MD5
4b7d6a1ba8d6d138ca8e99ab2ea582b1

SHA1
337f743eec252cde6d9227ad48d21f6523c69229

SHA256
85e4f2031d60bb0385c19f20f3ecd1c573cf6b5f4379bf5307229ca46bb886e8

SHA512
14771cc2902ae97b36e9f6f0af1074415e5e15ec05c1debebe9f0eada1d29e4d3974e4c1ba561aea6fa023b99fde2772690a2edeb1d4923fafb11f4ddfd312a5

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
199KB

MD5
041e5ff00597e46c29558724e2534196

SHA1
3b099610fcfdcdf10735cba28f864e065b26e83b

SHA256
5494a434b6dee68db41241f35566ca42b17dfc92a83dbd48b081135c7df17323

SHA512
34060b52dad5b20fa0962437d7b808b6e9569eab169900a98f308ca06a2b53080fe0a88cd2cd112d4f4e18fbdfb49bd78c03afea464a84bafaaaaee3d7f1b5a4

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
199KB

MD5
a8c5c44a00d6306dfc3dafa41e6d9874

SHA1
7a13c455affc2f805d73d917847247b69badbe4b

SHA256
f77bb2a2f87b6d3109eeda92fc728a822bfd66ec2911871cf74a9e127d0bf0a4

SHA512
5555c400b9409f69b4f360fc3c3982469732383d67a7c11f9d22d984f2222b79a01e4ce10465768fae20c137e65d187e550eb71334364dfb557431ccae9c9efc

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
199KB

MD5
e40b8714c7a224ac1baa7d241914c506

SHA1
2f793f5c00e6e32df0af3c311301fa6ee0e5c030

SHA256
a53f83a9e2e7c41589323ac1f6b902b1815305f58e00c1ec61ebe853d6215157

SHA512
5c712e41578a3a512ee793eca700d142f0f32b34226b02330e3f9fb5dd5a5aac2a1021064e3c76a370b3b5b13891f1befdf3513793ed88892caf48b94b529009

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
199KB

MD5
c7837c917f144d3d6e494bc29ff8b09f

SHA1
bc29d453dad0aa857fec184449fe83abcf8b70f1

SHA256
917cb14944c01043225bf3577fb6fcba8514130de511ac4fb1f6ddac896a15be

SHA512
a0c39f142d47412aae39be4e83769aec6486eadd8f7a00617bab3f3665d9ccd3c9a92027cfef57c63ffc32c99efddb6507712d18c1fb2bcdb4deaff3f551c022

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
199KB

MD5
11928092c782e29278fb5186741e0ca4

SHA1
c4fa1a1477d9bdac4f205f80f00b60ccd092257c

SHA256
ee1432f6a217788e518c284107c7e4e39b2b7d10e741508ac5d7a2ec66048ec3

SHA512
94aab05476240b3c6701f8652a68c4a7103db342c0066b9c8dc4ff1028b819c627bee2853996f028b9163a50e4f3cc09eeb877c492a734fdcef4c4d12e9e5ed9

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
199KB

MD5
58b61ec2c0badee69b3e35e9708a3d3a

SHA1
38ee45a12623a0629c6c501d824ef6abe862688a

SHA256
79944476f089a3360753cd6d39d4c4122fc61d7d2e240a94370dd7ae05c9629f

SHA512
06be0e8801f2ec876cb3c0b8d6b92c88c1f95b2b4d2789507e3b6c82ab47655ba2fc947b6eb494d2230b84c1872550c87167e180329acf652462391ff83d8c92

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
199KB

MD5
50618323540ce9ee93cf6bb5aa5af3d7

SHA1
7496e0d688c45ae4515f6ce5cd3e9b86bfc3d565

SHA256
04b38e31ef9a5cce0f0d4eaa779cdd3d50a8945df3c4b7238d412052d6bc5a53

SHA512
b6b2676d53b647f47ae471b941556f950fce0a0b8dfe8ffedb8d82bfc0885f62a28ede8c304ab375297c1c59538769368326c55041d09f3242d174fa9a5e5bcd

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
199KB

MD5
c664ea405a8bf672c92474f831be6bf8

SHA1
fe7250268f0e9d2da7bf62d6bfc73851b25e03f2

SHA256
ee18b871119645dd0c571bb20d5bab86a4ed5602bbbce5747363770489446232

SHA512
437dd45433b208183dc4f1f7501c3228f186b4b99eb657a2b67ce2f43b04c78230ca055531efcb81c722c4368a17b45880c26fe15bfdd35cf68575464afedb70

Download Submit
C:\Windows\SysWOW64\Hjolnb32.exe

Filesize
199KB

MD5
944cba395764c469152aa8ab635696ed

SHA1
b519bcaec7a7aae40f8492169ec3f08c328ab3ec

SHA256
97050c928e2b92ea75f535f3f595a6958f0ecc13269c54289de1ac276040b7ef

SHA512
af46e590e00c5a86b189e1cd54194d3ad7b2b1aa491528f4059003e40e51e84a57ec1b4a4123a8d23016bec6e3e195250a523d72cb688c811b6c22e8b6251f1b

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
199KB

MD5
146f7c346483aef64729e470eac2dd6a

SHA1
7a8f9f8fb8b5fc1a249cc1b2881dcb1f115e7c78

SHA256
1fd1f539f22a5a5227b8dd4c6c7f42e6dfa0e364fc07130dcc62b94c8cb59c78

SHA512
0f01de658b05bd51fec2f66d202aca758219264e04bd20ea0984080e707ef3fc7aecbb1f21ee8bcd103bf366bcdef80ddca75023c09b1ba2689463db859ec506

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
199KB

MD5
121b5c8fbf89a2376228a5249f96cb00

SHA1
9f4c8679e3e688f93934ecb58746bd4ee931116e

SHA256
903f84fc6730c9199eff97bc0cf29ff8b47fdbe880b758778c516ad9058d410e

SHA512
351ddaa4cc070d7073e4f52831428c06cf3f38013306bfd5da6b68ef17c7b12e2e7e6230a707974debebc78c5afdbcde1387cf3b5897c8d6960ea0cf8a77ee69

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
199KB

MD5
9a9b2b93bb5b37c5e8c75d7908ac3355

SHA1
ec1235dcb1f1a8106bcdab8e8a8b72a44d515512

SHA256
9474b8b06d466223ca8f1fcd750439de93a821658ece6cecae7071d3f6654eaa

SHA512
81cff251a8496fee10d980c377175122c6c76ed41ffa48326d424fdd001165adb19babdf0a65747ea4f9b6b7961d5de238f745e8669a1a0275025c0fcc3f6221

Download Submit
memory/220-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/768-381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/808-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/892-109-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1192-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1248-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1412-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1572-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1832-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2092-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2156-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2200-193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2212-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2252-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2252-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2304-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2424-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2444-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2972-77-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2976-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3088-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3136-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3180-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3204-370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3228-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3232-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3376-419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3388-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3416-387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3468-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3508-169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3536-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3544-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3672-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3688-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3704-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3856-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3976-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4120-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4228-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4236-437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4248-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4252-429-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4404-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4432-435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4552-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4616-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4704-399-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4724-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4728-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4736-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4856-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4904-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads