778feb34846d0cafb83573eec6234072b33a4951dac31dcba99b4860940e9436

Analysis

max time kernel
91s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

778feb34846d0cafb83573eec6234072b33a4951dac31dcba99b4860940e9436.exe
Size

276KB
MD5

c83b7daf533a0e017657cdc92f758468
SHA1

bb7e0d1cf7caea84ef9f7f37799badba9dbec4bf
SHA256

778feb34846d0cafb83573eec6234072b33a4951dac31dcba99b4860940e9436
SHA512

1e1ef2446573b24d913f1829eebb31b64045058c922cc31ef76724695480ed4ccc3868ccf6c14ab7e09e43d9c7aedda9bcd5ceb3983afb75e5e030210642e242
SSDEEP

6144:yjHGsrYibkORLSdn7MUZst5qXsunbLwMddjPXmF6EC1LlzxAKN+xTU5AX/KXWZCC:yzlbR+pMUQunbpd/mF6ECJlzxAKN2X/Z

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhqaefng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dokjbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe

Executes dropped EXE 64 IoCs

pid	Process
3648	Dohmlp32.exe
536	Dhqaefng.exe
3464	Dokjbp32.exe
3872	Dhcnke32.exe
3940	Dpjflb32.exe
3140	Efgodj32.exe
1080	Epmcab32.exe
4328	Elccfc32.exe
4844	Eoapbo32.exe
2916	Eflhoigi.exe
3932	Eqalmafo.exe
2468	Ecphimfb.exe
2524	Efneehef.exe
1672	Ehlaaddj.exe
3380	Ecbenm32.exe
2720	Ejlmkgkl.exe
3732	Emjjgbjp.exe
2960	Eoifcnid.exe
1948	Fjnjqfij.exe
4920	Fmmfmbhn.exe
2904	Fcgoilpj.exe
4768	Fjqgff32.exe
4216	Fmocba32.exe
932	Ffggkgmk.exe
4952	Fmapha32.exe
660	Ffjdqg32.exe
4128	Fihqmb32.exe
4960	Fobiilai.exe
1996	Fjhmgeao.exe
4236	Gcpapkgp.exe
796	Gjjjle32.exe
3748	Gqdbiofi.exe
1516	Gogbdl32.exe
3256	Gjlfbd32.exe
4448	Gmkbnp32.exe
2072	Goiojk32.exe
4084	Gbgkfg32.exe
4676	Gfcgge32.exe
4500	Giacca32.exe
4940	Gqikdn32.exe
5036	Gcggpj32.exe
2940	Gfedle32.exe
1928	Gmoliohh.exe
3120	Gpnhekgl.exe
2628	Gbldaffp.exe
3792	Gjclbc32.exe
2124	Gameonno.exe
1444	Hboagf32.exe
1340	Hjfihc32.exe
1072	Hapaemll.exe
3308	Hcnnaikp.exe
3288	Hjhfnccl.exe
3460	Hmfbjnbp.exe
2252	Hpenfjad.exe
4672	Hbckbepg.exe
4148	Hfofbd32.exe
4996	Himcoo32.exe
4292	Hadkpm32.exe
4280	Hccglh32.exe
1472	Hfachc32.exe
3268	Hippdo32.exe
1632	Hmklen32.exe
5020	Hpihai32.exe
4396	Hbhdmd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Dokjbp32.exe	Dhqaefng.exe
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Fmocba32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hpenfjad.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Emjjgbjp.exe	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Qchnlc32.dll	Hccglh32.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Hmklen32.exe	Hippdo32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Pnfmmb32.dll	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Lppaheqp.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Fmmfmbhn.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Fcgoilpj.exe	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fmapha32.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Iapjlk32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Hjhfnccl.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6444	6248	WerFault.exe	269

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlilmlna.dll"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	778feb34846d0cafb83573eec6234072b33a4951dac31dcba99b4860940e9436.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihpfl32.dll"	Eqalmafo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibpdc32.dll"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhollf32.dll"	Dhqaefng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dohmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 3648	3260	778feb34846d0cafb83573eec6234072b33a4951dac31dcba99b4860940e9436.exe	85
PID 3260 wrote to memory of 3648	3260	778feb34846d0cafb83573eec6234072b33a4951dac31dcba99b4860940e9436.exe	85
PID 3260 wrote to memory of 3648	3260	778feb34846d0cafb83573eec6234072b33a4951dac31dcba99b4860940e9436.exe	85
PID 3648 wrote to memory of 536	3648	Dohmlp32.exe	86
PID 3648 wrote to memory of 536	3648	Dohmlp32.exe	86
PID 3648 wrote to memory of 536	3648	Dohmlp32.exe	86
PID 536 wrote to memory of 3464	536	Dhqaefng.exe	87
PID 536 wrote to memory of 3464	536	Dhqaefng.exe	87
PID 536 wrote to memory of 3464	536	Dhqaefng.exe	87
PID 3464 wrote to memory of 3872	3464	Dokjbp32.exe	88
PID 3464 wrote to memory of 3872	3464	Dokjbp32.exe	88
PID 3464 wrote to memory of 3872	3464	Dokjbp32.exe	88
PID 3872 wrote to memory of 3940	3872	Dhcnke32.exe	89
PID 3872 wrote to memory of 3940	3872	Dhcnke32.exe	89
PID 3872 wrote to memory of 3940	3872	Dhcnke32.exe	89
PID 3940 wrote to memory of 3140	3940	Dpjflb32.exe	91
PID 3940 wrote to memory of 3140	3940	Dpjflb32.exe	91
PID 3940 wrote to memory of 3140	3940	Dpjflb32.exe	91
PID 3140 wrote to memory of 1080	3140	Efgodj32.exe	92
PID 3140 wrote to memory of 1080	3140	Efgodj32.exe	92
PID 3140 wrote to memory of 1080	3140	Efgodj32.exe	92
PID 1080 wrote to memory of 4328	1080	Epmcab32.exe	94
PID 1080 wrote to memory of 4328	1080	Epmcab32.exe	94
PID 1080 wrote to memory of 4328	1080	Epmcab32.exe	94
PID 4328 wrote to memory of 4844	4328	Elccfc32.exe	96
PID 4328 wrote to memory of 4844	4328	Elccfc32.exe	96
PID 4328 wrote to memory of 4844	4328	Elccfc32.exe	96
PID 4844 wrote to memory of 2916	4844	Eoapbo32.exe	97
PID 4844 wrote to memory of 2916	4844	Eoapbo32.exe	97
PID 4844 wrote to memory of 2916	4844	Eoapbo32.exe	97
PID 2916 wrote to memory of 3932	2916	Eflhoigi.exe	98
PID 2916 wrote to memory of 3932	2916	Eflhoigi.exe	98
PID 2916 wrote to memory of 3932	2916	Eflhoigi.exe	98
PID 3932 wrote to memory of 2468	3932	Eqalmafo.exe	99
PID 3932 wrote to memory of 2468	3932	Eqalmafo.exe	99
PID 3932 wrote to memory of 2468	3932	Eqalmafo.exe	99
PID 2468 wrote to memory of 2524	2468	Ecphimfb.exe	100
PID 2468 wrote to memory of 2524	2468	Ecphimfb.exe	100
PID 2468 wrote to memory of 2524	2468	Ecphimfb.exe	100
PID 2524 wrote to memory of 1672	2524	Efneehef.exe	101
PID 2524 wrote to memory of 1672	2524	Efneehef.exe	101
PID 2524 wrote to memory of 1672	2524	Efneehef.exe	101
PID 1672 wrote to memory of 3380	1672	Ehlaaddj.exe	102
PID 1672 wrote to memory of 3380	1672	Ehlaaddj.exe	102
PID 1672 wrote to memory of 3380	1672	Ehlaaddj.exe	102
PID 3380 wrote to memory of 2720	3380	Ecbenm32.exe	103
PID 3380 wrote to memory of 2720	3380	Ecbenm32.exe	103
PID 3380 wrote to memory of 2720	3380	Ecbenm32.exe	103
PID 2720 wrote to memory of 3732	2720	Ejlmkgkl.exe	104
PID 2720 wrote to memory of 3732	2720	Ejlmkgkl.exe	104
PID 2720 wrote to memory of 3732	2720	Ejlmkgkl.exe	104
PID 3732 wrote to memory of 2960	3732	Emjjgbjp.exe	105
PID 3732 wrote to memory of 2960	3732	Emjjgbjp.exe	105
PID 3732 wrote to memory of 2960	3732	Emjjgbjp.exe	105
PID 2960 wrote to memory of 1948	2960	Eoifcnid.exe	106
PID 2960 wrote to memory of 1948	2960	Eoifcnid.exe	106
PID 2960 wrote to memory of 1948	2960	Eoifcnid.exe	106
PID 1948 wrote to memory of 4920	1948	Fjnjqfij.exe	107
PID 1948 wrote to memory of 4920	1948	Fjnjqfij.exe	107
PID 1948 wrote to memory of 4920	1948	Fjnjqfij.exe	107
PID 4920 wrote to memory of 2904	4920	Fmmfmbhn.exe	108
PID 4920 wrote to memory of 2904	4920	Fmmfmbhn.exe	108
PID 4920 wrote to memory of 2904	4920	Fmmfmbhn.exe	108
PID 2904 wrote to memory of 4768	2904	Fcgoilpj.exe	109

C:\Users\Admin\AppData\Local\Temp\778feb34846d0cafb83573eec6234072b33a4951dac31dcba99b4860940e9436.exe
"C:\Users\Admin\AppData\Local\Temp\778feb34846d0cafb83573eec6234072b33a4951dac31dcba99b4860940e9436.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\SysWOW64\Dohmlp32.exe
  C:\Windows\system32\Dohmlp32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\SysWOW64\Dhqaefng.exe
    C:\Windows\system32\Dhqaefng.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\SysWOW64\Dokjbp32.exe
      C:\Windows\system32\Dokjbp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
      - C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4216
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        25⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:660
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        28⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3748
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        39⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        40⤵
        Executes dropped EXE
        
        PID:4500
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        43⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        44⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        45⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        47⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        48⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        51⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3460
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2252
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4672
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        58⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4292
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5020
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        65⤵
        Executes dropped EXE
        
        PID:4396
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        67⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        69⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        70⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        71⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3196
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        73⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        74⤵
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        76⤵
        
        PID:748
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        77⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        78⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        79⤵
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        80⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        81⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        82⤵
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        83⤵
        
        PID:848
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        84⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4164
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        87⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        88⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4548
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        94⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        96⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        97⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        98⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        99⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        101⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5252
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        105⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5476
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        109⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        110⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        111⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5820
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        115⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        116⤵
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        117⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6080
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        121⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        122⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5200
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        126⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        127⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        128⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        129⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        131⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        132⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        133⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        134⤵
        Modifies registry class
        
        PID:5960
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        135⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        136⤵
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5152
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        139⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        141⤵
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        142⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        145⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        146⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        147⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        148⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        149⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        151⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        152⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        153⤵
        Drops file in System32 directory
        
        PID:5288
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        154⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        155⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        156⤵
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6252
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        158⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6368
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        160⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        161⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        163⤵
        Modifies registry class
        
        PID:6572
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        164⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        165⤵
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6696
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6736
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6796
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        169⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        170⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        171⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        172⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7000
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7036
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        175⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        177⤵
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        178⤵
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        179⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 400
        180⤵
        Program crash
        
        PID:6444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 6248 -ip 6248
1⤵
PID:6392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
276KB

MD5
970dc990b9563bb3d051b25520776295

SHA1
404201feb30e33987ab86dd76e81e442d09d60be

SHA256
10011b3b7a24289fb73ce1fefc208ac19d41a228ff15199256dc8fc3b6bce68f

SHA512
640263d4e4f46f3ca49522c59ce1e869514a521035e004ff0b446a6d816ae1f41e7528de9f04b6b37d3809f9d7a213da188ebdde574ef18c00c4f60093daae82

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
276KB

MD5
35b5c0ef046b356281070f5110bac0fe

SHA1
0aa4017f8af17a7c7f41fe20d997d59628b81226

SHA256
c09311de134546a6b168ccf3a4fc3f1de564b8a25f163f4fa840d3ae6e62c6cd

SHA512
163076ac0602f388f4545307d107a2ebda3a7ed83752fd36444342ca37ae8058a273e74d4f4696cc15c216d2972470f1252f7f227dbcb1238e55846e42ccda68

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
276KB

MD5
8bcb5660a91abbca5bf3246823495067

SHA1
5d1caf41ab9fb5a00173a8283a9e6dd93af9ea2c

SHA256
383b5683c367feec77f8af594932b38b98caafd0ee076e7f5debded158b23a3f

SHA512
fa996edf5a3c0e62c243c02fa9fe1be67558718979d132e4fc591badf00172721fb7d6ef947d77593a8d4d221da239cdd67272d8784eac772c51419d5526762b

Download Submit
C:\Windows\SysWOW64\Dokjbp32.exe

Filesize
276KB

MD5
f9cca297c1a7c5bedffb359fc3295606

SHA1
34593330b23fbbcec27f6571de07402f2612ccde

SHA256
db6e7cedc2206f5fe4698513315fcff0047927cd29c37b669790a3c24338bc66

SHA512
f61d031c32e48cc136eaf62d6cbb1bdac85ec1c03d0b3d4309dba0bdcf519c4657ca2edf9fd419ae70f4d2afe89c1371e3873a8053dcabccfd2692facdd5bad7

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
276KB

MD5
d1ad2e410289ed50bfab40454a59fceb

SHA1
f07b3c6e7092c130991f6d5fc5128a4f4b85dd41

SHA256
fea525ace8d38f2e76e30e2c3d5d092fced4dbbd67f442a53a162c19bb79c3a5

SHA512
fa11e678d939a52f7f5fe2e60b04444fe67f06a65b53c2f41841a7ddfe3e5b356dbc8db50fc72e5bde69e39239b9e1e0c18ed690a144e63a58b03f1a475870bb

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
276KB

MD5
b641e8d84854cde4470b9a1f8d3b34c5

SHA1
33d25531a122e2127c2593b097513e65a8dcbf1a

SHA256
1ec47d39deff3a31bef427e0f132e4f1620a90efedfd9c990ea384b0ce415e27

SHA512
6bf4ee36c9f76e7fd799cd2fc8b4ec391a10caf60c8cf14bf3a4b4dfa169f9a4500c2f28c73781c898fe160500bc9e9212dea77d86f5006ab96309de6bc1c685

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
276KB

MD5
7d2ff9263fc7056ba90ff1022124359d

SHA1
1aab8e90ca8678b75626cf26dfee9e654f7dc8b6

SHA256
a4db743250814bd9e99d802659d44afff005f0bde4adb61588cae751a485cfcb

SHA512
a14fde178222725690674e5d73348dcc99b8a1f69f1d039bd1399833f598462474e31598fc1e816e976366889e55efd450cc345bc472c892d9a5b9f1a363c8ca

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
276KB

MD5
fc847e4678d23b4cd28c94aee3c699e3

SHA1
709ea042b9658d8edb335e00786542152e7c7833

SHA256
c00be2d273eb9a4dda9fbad726b4496cf0d83c02a1d1a5808e95409645de282b

SHA512
dc165f939dfb1c202fbd4fef786565431d1fd904fb669bf7f47d42003e3f11ff429c821a71dbffdf6cd72fc8a12745a12b8298766b864dc4d4ef305be06bf045

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
276KB

MD5
58fc5f6a851f8c357865d7cc36cde004

SHA1
91b42aab4e0c5a6f4e21308e0449b96dbe854133

SHA256
d2955f62a5c3fa580f5d490646db8d57d27500ddca02b8c79c1ecabdb3191082

SHA512
b9f7624dbdeba9239270d46b7d82a0a8c1c6e86580067376a1af0afebf2ca2ba2874b96fc4d0d48f25965a20369497c0a2dae10cbc7b0ba95c794a6615016938

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
276KB

MD5
8778c253f90b21a655e8418963675634

SHA1
356cf6543a10f48732c852f1acdecf1d6bbb39e0

SHA256
b8537027a643aa5a02df6e4dae3b0afb25d54222790aab538dcce63ae067e704

SHA512
5ba0964df7735deef0b4779e90d4d3cd867c077e6790a98da7053c8fb293621d281d5269d5949f3566fd2cf9a79ac3355f3effcab9eeecf82b3c270785de1fc6

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
276KB

MD5
5b35add5617ec648ad2ce9222298b7e8

SHA1
d7e2b80c9c369aaef5baf9633b81263ad43779ec

SHA256
1679deb16197688f94f7285a9469b2af2fc797e7861621be74de0971d2281197

SHA512
a8f89d45b65a3352b83100c4f588b695379923a42e9a5e09bbeb2763162592c799bd0c735e1b625ec41226b1ab09c75481bf945c0b6410aec610bb88bb877c70

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
276KB

MD5
4351d95b5144fabcbe0d20016a5811fc

SHA1
6d34cb0bbbb41f154adf27782a2f5e95dce13ecc

SHA256
47dfc0c0eff03ee64a1af7917e4e9ec4f5eb03c2dcdab741200bfa497c50c22b

SHA512
7ed601637aeceb70ea21dd49f67465b4a398dd4b000c0b4ab727e5b18dc71b8e6eb96fde532fd887169db11d6c82d15b5e24821c291656abfe39fbe4ee7cbfb3

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
276KB

MD5
a25bcf2961e8bf50ad28b3bed16d0022

SHA1
643bd8f4ed8a78928cff5c2469f0f846174e536c

SHA256
ea72210bfa056d9a0bfb51756b85062ffa496e678711b181b7adc1caf56b9674

SHA512
58552aa091ef478c74d547e6bb084ef5f89bdef729b109d7c9939f3062be28a76a5fc157b05b84ef0feb967de16b5dc1247175b4cadaba7f8e4f7af7861b99f9

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
276KB

MD5
667a78e443618ca6a99b327e1d81199a

SHA1
9d2f9bfb3babb7fdacf8e5bfd123db064874954a

SHA256
43a68f28cb7cbbf5a372a59d6469a85bfcaf8c69b527dcb5657f66cfc6ed8cf0

SHA512
9cbfabc6c021c22ee1f6c72a1cd3e8e3143b64393b49d5a1937dd108dcfc636716fdeb36d6ffb8d9e502a943831191ce2d9b32ab7a8d7fe0d16333325332e9b8

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
276KB

MD5
08a61a0e35f39080abf9654ebdaf072d

SHA1
7b1579d27d5b973cd281fd3584ec87c301edef40

SHA256
02995acf34d76427d42657556b54c7ab0d3eb1310296fabcb87a244ae74bb31f

SHA512
0286d376b91e4f05b8d9848fdbd939abc34071916460b50a68e27fb87464c19120195a4e68d4bbdf11f7de30f12cc03085a28fbd76d107375f19e747756c89f5

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
276KB

MD5
a7b097b28efa0763fe7fdf7328a77bd7

SHA1
5cf1673d3057269b5c225fc341fb8448c34146c3

SHA256
bb61aeb755fc5b822fbcb9dce993de7fbf7f520135e535b07d3264c5c7d6bd03

SHA512
dc330bdd9ce669671e15565c2e19214c51bf47f144e863089d903450769e12b36fcfa23011675e34365919142988e15e4f7f4ef9832e4a33741b8b24cabd2cb6

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
276KB

MD5
28830ee2eca394044a35f8e1bee97092

SHA1
7e99e7ea6c06d3482f1570ee5020ab36b7789dcc

SHA256
1f7c2ca48aea1c6a87e2034f947fdab970f949d4ca7d0c0eb9bc21366200cf9a

SHA512
4908cbd0bc500a1310451ed2ccf8f69c52a115ded19ac44f9027f630126a71930e74cf2c1a0abc1869d06188a72a31eba9516cb344019eab46be28649010d190

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
276KB

MD5
d9ed44d22dfecbdf1ed3950cbf2bbf7a

SHA1
ed9812f6abf2d3edc74ad77c3405075d04931d83

SHA256
58b2aab213ee84b9cd32dee15ba5055f3152c4b865c00a6261a2eb0402fe3eb9

SHA512
515a98299a93fb7999c6a8f23ed597b8d32b2d8b6b3ebbba731049932ce129cd2ad7989daeb4687d399417bc853d939139a9841da8486f95943636f956ddc8a3

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
276KB

MD5
4a5cb3e69021824bc784778e94a69481

SHA1
086a577c49f25e0a02d394af64357ef6e56c99aa

SHA256
05d68e21baf5316bae07b9e2a3ecec379b86013ea32dfce41606bcf7a63348b1

SHA512
dd21eca4c7ac6c87bf9d6772af8a5662b44c749d5bec56c32f581500cc5f0a5f41711ec9d17be63867bb84670c618f1b6a5af3aa8bb5410f817a6510893d8ef3

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
276KB

MD5
ba9bdac3da6c90da0b695140b8ad425b

SHA1
6497c4f6ced4bf80456850a18a8e607dda7f2b8e

SHA256
486976932f2ef9da1697c172d353f0d4d98c610ab31dd128730994ed2658ca97

SHA512
c5ee7347f2b32dffa8795ae1e35c252f356a6b534e37284d287c4ad6c74eac10730faa057ec1c47740b21054ac0ca1829a2e920e3bdf7554dc81bbcd9626a996

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
276KB

MD5
346cbcd4a709bf782f14d7543933107a

SHA1
f49f200fa6377cecf1c0b3ad0abad41698a29939

SHA256
ea2154368c0e6e2bc3e548845b69e293bcb0aa259b7040ed726f05ac6f513594

SHA512
2dd8d1606ce3c608557143f4233cc087b278d8b8ea1bea96df59aa215c168431e1b672835efa97a11bf98df2e301ba333f1ff909ec4b58a64c239a2988553759

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
276KB

MD5
88ac9f1049244c0620c9ba358868ba96

SHA1
59eaabc98b48998246ad4b2b091e66513a5cc420

SHA256
f9eba69fc9f48cd59cecc14201795ff59b4878a34979a65abd43c06dd699d07d

SHA512
6230f72700adf171b20e5e584e0dbacc2e4f358dd306819360a8137b7927a35611c8278dd3af3795538b928be1432193d1fbed84dca9241344694b47059ab07b

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
276KB

MD5
28d68ba9145a8ff87c7451e3d2b79bcd

SHA1
0e562c281f9c5e68d86f415b191e7e2bb792c561

SHA256
c8889cd794d383a674975d4ac94de7dd615dd7532cf20e84302b3930e76bb308

SHA512
219afec26645034a69e58a54815eea9393c07f8657c928e927ff83247891be53fb24b8a186b9d9d8d3829f93204d214732f610468a3683a6d8ab5a8bf5f2cf1a

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
276KB

MD5
b7f789ac19130458af80781383534c82

SHA1
8896c3701f4177e1df76dafd77a950a434db6597

SHA256
a3dd5c0678b9db76b0d8f6c8e066cef307c65b37d232c9b5c5eca5abbd00a22e

SHA512
30f1893ec8ba51710a66fa092a518b56448ca6055e8c8b81702d26a276b87ef8fa81c09bd3246779de9c4092a55df4f6a76a94b9d06b0918b7e15a530d55fe52

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
276KB

MD5
a8dc904555c7480fb425546a67e40185

SHA1
efbc70be4e19f579de3742e5efd20313117b0922

SHA256
d570fbc2c00d47aa248211515f5732fc15319f4e5a433ad881b8053d8114db52

SHA512
bcd21ed66d764f9f4352f0d13c1ece0cec7ec169b76d908918f7730d72872f2c3950421870b94e4aa66d4a51c2cfca9afdb1b636a6d5dde005d7a44d35a34357

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
276KB

MD5
28ff6ecfcae01de1f2a6d110a3f44041

SHA1
c40c98c360c6cdb8002511b3d1df96d51a51f48f

SHA256
4530b14a40255f98de2d7488c77e8d0d3504de42e12f221a3ae1ac55b07cd0c2

SHA512
5bc731533cdcbf4579947c60b8c25eabf68f55a4452bc0f0d261ae7c2513a79ea01f43ffb8ea7ba58934fcf7c536fcc3c9f5b9dea571b5e0b64191bba980ca1d

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
276KB

MD5
508164c61ac1c1b4cb67a8960ea5b893

SHA1
7a27b37b0577006d0d6414b60901870238bcbe21

SHA256
9694a8eaadb7d5ef95c01682735ddd27fe0ff4fe4d96bd024c976727aa6133c0

SHA512
44e913a6fa57d2949b5edd08890c90907f45f6333b1326a1c993ed4a7224e9c3e78ad663462cef779c357023cd88360febe588772a08c4ce57d7d7a97863b01f

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
276KB

MD5
e582b9dcbb21ed86efb59a7b5747b4c9

SHA1
e6bb4f9f0ed84d3c80c24690c8d54c2a041fb3a8

SHA256
2396c7036b1b401724c473eda0982da36fa7ef06a2b08435caf412d3da1ae2a4

SHA512
4fe79494de791bcc82dd8c7abc4d9d3ddd6c6daa784fd4476677322188e6cb88ac0a0efc391aa8937c83145bf65497ff70c27373c2babe239c249a1c65ee34cd

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
276KB

MD5
6da680a6b20a19a3d59b37c70fb5f515

SHA1
9edc6a58bb5a600e5bc802d28044b34db8eef3c4

SHA256
6e65eab4f0263a678bdb98676386295da9453b21f025565aa761ac5d0f5ea0a5

SHA512
952242b5da196cea0f66bd0b64437dd575c70af1eab124e4914ef59cf8a8bd38243cf73b8756e76aad1bc566fb272e4f5f5c6c87425649048b8da8d6c1c7bad1

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
276KB

MD5
43bd0e30b4dc3e5b0d9fa8a57de3ee94

SHA1
212907c8d8e7bbbacecca64d829648cb3a897bbf

SHA256
410e4a35c7bab3b310c4e6b2507ca3fb7901d55f797c4977b281819d21376d83

SHA512
c5a5b60c733ee164e191f453f2e0ca1f2a80156323a8ca9b3f7f1e3abc536fbf14135b1a18fa3003d6b813791b60e8eb1d2e709c64fe592ef0a0f0b37024a3a5

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
276KB

MD5
abe5d5eda9b8f61510910bff90309897

SHA1
f73106ef9ee840aa76dda132f16d5b49a5717335

SHA256
765dcc37deebfdfb983cd950939083a65c99b860a3159c07e8b65d147c269f64

SHA512
ebaec4514ae616b856eebf7a9d1dc2665fa3c3ed2576f8acc0665eb156fcc97f9e74e57301f403b149020769dc12a99c6c7acd3b31047b1670433fd72aa205ed

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
276KB

MD5
57fa6f7f53eb9ba63f5f5c936a175db4

SHA1
ff228a90ddfb82a7006c6156b71cba16b1139863

SHA256
11775322bd886e18b2adadaee0402384c0b6a0404543983f4ce49500877a75d1

SHA512
bd7c4fcdd67de46909388947a3746c32f87babd33880f5854ee127c7b5d452885e158ef1dcbb6c649a9dfc00b6712e3198a480cdab1a60cfc7f6d0c6f456a9dd

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
276KB

MD5
060643a1e966577b947bc12b319f3ce5

SHA1
7ea9c906f0d1515da4f7955a9359415fef6f5f8c

SHA256
caacc62524da5c51e455aa319e38441adf32882974644482bfe976ec9bd8b471

SHA512
4e89c7fd1fb5c53632de69c3b82b5e20455a46274c7c5b79d7e07010a14660ef5c981b92a415b15cc3686ca1bb2fc8b0f65659263bf4b5e1393af991dc3bdedf

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
276KB

MD5
f592d8055ea33ee9b251bd063ee56a74

SHA1
e4d56e02f6497643088d08a9041efa1f0069ecc6

SHA256
9deb3810f80fc1321b2faa648a34507518dc0a7937bbaeb3edff76226e2e1461

SHA512
deb1b0c2dc34a7594e33f2e0502911edb0fb58f5215842a10df83ee009afd5f1291a1663a2b4832c8cc4fc80daf4b8b17602b7d1c5cf421d5878d671b809ea35

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
276KB

MD5
fb8d17cf80d07819b5a9e4ceaa390b61

SHA1
d7172a455e5d9a8984a02da44620c39550f0cd3f

SHA256
3fbd6129e5471f819f474cca8fe6bcf1cc57fd67df9f920e63904441d85ae13d

SHA512
356b709a1da2967dbfb6086551a3b743e9cbd9ea873af9e0d1d3d1ff48c6ff0592f5dbe47c4f83ec4be7745c93ccf2b5bcf558ec095d01e463efff0daa61b592

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
276KB

MD5
c8b1a4fcc67ff19c08f1a135911486ec

SHA1
9ec8bc4019eaad854c10886e133eb9d55ed05640

SHA256
65f19d31b594b7d6d30aadb1c9d07c37b23d1adcdaec47ac41b90a5aa44c07b0

SHA512
756d19b1f75016fb861464c858ce6cb889de520054e3b4b860ed023eef858a733f88b79589caf838b5ce87e65f7e3daf31a5cc82b8ad462df85ef5025f24db08

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
276KB

MD5
db67a20216878ab453ecb7e102351fdc

SHA1
65e109a5aa68fd69b85b47c772c0410f0035231c

SHA256
159b1ae58dd61093ff0622ee8afdee222a4b9262c1fe8e7149e52cb64b01afd0

SHA512
735e6c63aabad00c28b86de336471703ae0b9d30041fb9fe725d3e08452a35c5787c8ab884b89858abe1edf7566f35817d732c971f6ab517953d2ad268623a37

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
276KB

MD5
6e7e3d07aa5673a2e1cf008aea68864d

SHA1
e9706c346cedfb24ce1c329c6dacfb257df064a3

SHA256
b2ecb91b938321e45ae1405bce7087c36ecabf86767dbfebf967222abdf57a49

SHA512
4e34903aaeb6050c6cd6d0c6ec779b7bb6947adc716351df0e4ff4509ceaedc757bdac76acf48dffc8f06b491967796bdc304a7bcd51ac32adc9b7ec6e3cfb00

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
276KB

MD5
4350335a5f35c5fb02581136ed494922

SHA1
fddc64b2b3475af7d1aa02fa381278e830fe5073

SHA256
9feaf57b4feae57bdc78181fe49232890a1d95a101e31267d24fdbe3ae2b8661

SHA512
ff95281060132a405b05af3393ad93fa6b4c23950db98df8de15e8b935cc5f060822be79eed82c83eb58edaafb7abe0630dda7dd8a801c11ec28c316fa055557

Download Submit
memory/536-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/660-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/932-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1072-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1080-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1340-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1444-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1672-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3120-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3140-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3256-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3260-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3288-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3460-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3464-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3648-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3732-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3748-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3792-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3872-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4084-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4128-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4292-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4672-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4768-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-76-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4952-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4960-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads