1f04988c8e5520ca37d32f3325a00003ea4adfbadaafcc95dbafac19f8814b70

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f04988c8e5520ca37d32f3325a00003ea4adfbadaafcc95dbafac19f8814b70.exe
Size

224KB
MD5

c4ae1502e26f6ffe4ab12155aa0d9fcf
SHA1

1ed1736b6d8101850de39cae3e913b22cdc1b2e2
SHA256

1f04988c8e5520ca37d32f3325a00003ea4adfbadaafcc95dbafac19f8814b70
SHA512

41b30494c40cac7c217d82ac68d6301979fc7043a5f9954535cfe891990574eb66a057a8f0b28a1b3948321f0e3de396cec2c3c2eab383b97d9cb696b5998a94
SSDEEP

3072:mRaTOCqetk5auq2B1xdLm102VZjuajDMyap9jCyFsWteYCWS3:mR8ketluq2B1xBm102VQlter

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcdimopp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdbojmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecphimfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe

Executes dropped EXE 64 IoCs

pid	Process
4832	Dadlclim.exe
3520	Djlddi32.exe
2252	Dcdimopp.exe
2556	Djnaji32.exe
3892	Dphifcoi.exe
3896	Dcfebonm.exe
440	Dfdbojmq.exe
4028	Dlojkddn.exe
3992	Efgodj32.exe
232	Epmcab32.exe
2424	Ebnoikqb.exe
3376	Ejegjh32.exe
4576	Elccfc32.exe
4204	Ejgdpg32.exe
1692	Eqalmafo.exe
1240	Ecphimfb.exe
4548	Eqciba32.exe
4828	Ecbenm32.exe
4236	Ffbnph32.exe
1292	Fmmfmbhn.exe
1092	Fokbim32.exe
760	Fbioei32.exe
4492	Fjqgff32.exe
792	Fomonm32.exe
4976	Ffggkgmk.exe
2508	Fqmlhpla.exe
1384	Fbnhphbp.exe
3160	Fqohnp32.exe
3516	Fodeolof.exe
2832	Gqdbiofi.exe
2848	Gcbnejem.exe
2320	Giofnacd.exe
4612	Goiojk32.exe
3844	Gbgkfg32.exe
1880	Gpklpkio.exe
3228	Gfedle32.exe
4344	Gmoliohh.exe
4800	Gifmnpnl.exe
3596	Gameonno.exe
4424	Hclakimb.exe
3940	Hfjmgdlf.exe
3996	Hmdedo32.exe
3936	Hpbaqj32.exe
3872	Hbanme32.exe
1956	Hikfip32.exe
4100	Hpenfjad.exe
1376	Hbckbepg.exe
3676	Hjjbcbqj.exe
4916	Hmioonpn.exe
1572	Hpgkkioa.exe
4572	Hbeghene.exe
3792	Hjmoibog.exe
4244	Haggelfd.exe
2988	Hcedaheh.exe
832	Hbhdmd32.exe
1224	Hibljoco.exe
3220	Hmmhjm32.exe
2952	Ipldfi32.exe
3508	Ibjqcd32.exe
2900	Iidipnal.exe
2020	Iakaql32.exe
2812	Icjmmg32.exe
3856	Ibmmhdhm.exe
2576	Iiffen32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Efgodj32.exe	Dlojkddn.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Knceql32.dll	Djnaji32.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Chkede32.dll	Epmcab32.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Efgodj32.exe	Dlojkddn.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fomonm32.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Jfdida32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ecbenm32.exe	Eqciba32.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Hikfip32.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Fqmlhpla.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Jfffjqdf.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Dphifcoi.exe	Djnaji32.exe
File created	C:\Windows\SysWOW64\Fomonm32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Ibmmhdhm.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kdffocib.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ecphimfb.exe	Eqalmafo.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Fbnhphbp.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Giofnacd.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Iannfk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5260	5892	WerFault.exe	251

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fodeolof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeiooj32.dll"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacdmi32.dll"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibgnfha.dll"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1f04988c8e5520ca37d32f3325a00003ea4adfbadaafcc95dbafac19f8814b70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceakm32.dll"	Dadlclim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dadlclim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmkpqcp.dll"	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1f04988c8e5520ca37d32f3325a00003ea4adfbadaafcc95dbafac19f8814b70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdcbdnc.dll"	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hibljoco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcdimopp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 4832	2860	1f04988c8e5520ca37d32f3325a00003ea4adfbadaafcc95dbafac19f8814b70.exe	83
PID 2860 wrote to memory of 4832	2860	1f04988c8e5520ca37d32f3325a00003ea4adfbadaafcc95dbafac19f8814b70.exe	83
PID 2860 wrote to memory of 4832	2860	1f04988c8e5520ca37d32f3325a00003ea4adfbadaafcc95dbafac19f8814b70.exe	83
PID 4832 wrote to memory of 3520	4832	Dadlclim.exe	84
PID 4832 wrote to memory of 3520	4832	Dadlclim.exe	84
PID 4832 wrote to memory of 3520	4832	Dadlclim.exe	84
PID 3520 wrote to memory of 2252	3520	Djlddi32.exe	85
PID 3520 wrote to memory of 2252	3520	Djlddi32.exe	85
PID 3520 wrote to memory of 2252	3520	Djlddi32.exe	85
PID 2252 wrote to memory of 2556	2252	Dcdimopp.exe	86
PID 2252 wrote to memory of 2556	2252	Dcdimopp.exe	86
PID 2252 wrote to memory of 2556	2252	Dcdimopp.exe	86
PID 2556 wrote to memory of 3892	2556	Djnaji32.exe	87
PID 2556 wrote to memory of 3892	2556	Djnaji32.exe	87
PID 2556 wrote to memory of 3892	2556	Djnaji32.exe	87
PID 3892 wrote to memory of 3896	3892	Dphifcoi.exe	88
PID 3892 wrote to memory of 3896	3892	Dphifcoi.exe	88
PID 3892 wrote to memory of 3896	3892	Dphifcoi.exe	88
PID 3896 wrote to memory of 440	3896	Dcfebonm.exe	89
PID 3896 wrote to memory of 440	3896	Dcfebonm.exe	89
PID 3896 wrote to memory of 440	3896	Dcfebonm.exe	89
PID 440 wrote to memory of 4028	440	Dfdbojmq.exe	90
PID 440 wrote to memory of 4028	440	Dfdbojmq.exe	90
PID 440 wrote to memory of 4028	440	Dfdbojmq.exe	90
PID 4028 wrote to memory of 3992	4028	Dlojkddn.exe	91
PID 4028 wrote to memory of 3992	4028	Dlojkddn.exe	91
PID 4028 wrote to memory of 3992	4028	Dlojkddn.exe	91
PID 3992 wrote to memory of 232	3992	Efgodj32.exe	92
PID 3992 wrote to memory of 232	3992	Efgodj32.exe	92
PID 3992 wrote to memory of 232	3992	Efgodj32.exe	92
PID 232 wrote to memory of 2424	232	Epmcab32.exe	93
PID 232 wrote to memory of 2424	232	Epmcab32.exe	93
PID 232 wrote to memory of 2424	232	Epmcab32.exe	93
PID 2424 wrote to memory of 3376	2424	Ebnoikqb.exe	94
PID 2424 wrote to memory of 3376	2424	Ebnoikqb.exe	94
PID 2424 wrote to memory of 3376	2424	Ebnoikqb.exe	94
PID 3376 wrote to memory of 4576	3376	Ejegjh32.exe	95
PID 3376 wrote to memory of 4576	3376	Ejegjh32.exe	95
PID 3376 wrote to memory of 4576	3376	Ejegjh32.exe	95
PID 4576 wrote to memory of 4204	4576	Elccfc32.exe	96
PID 4576 wrote to memory of 4204	4576	Elccfc32.exe	96
PID 4576 wrote to memory of 4204	4576	Elccfc32.exe	96
PID 4204 wrote to memory of 1692	4204	Ejgdpg32.exe	97
PID 4204 wrote to memory of 1692	4204	Ejgdpg32.exe	97
PID 4204 wrote to memory of 1692	4204	Ejgdpg32.exe	97
PID 1692 wrote to memory of 1240	1692	Eqalmafo.exe	98
PID 1692 wrote to memory of 1240	1692	Eqalmafo.exe	98
PID 1692 wrote to memory of 1240	1692	Eqalmafo.exe	98
PID 1240 wrote to memory of 4548	1240	Ecphimfb.exe	99
PID 1240 wrote to memory of 4548	1240	Ecphimfb.exe	99
PID 1240 wrote to memory of 4548	1240	Ecphimfb.exe	99
PID 4548 wrote to memory of 4828	4548	Eqciba32.exe	100
PID 4548 wrote to memory of 4828	4548	Eqciba32.exe	100
PID 4548 wrote to memory of 4828	4548	Eqciba32.exe	100
PID 4828 wrote to memory of 4236	4828	Ecbenm32.exe	101
PID 4828 wrote to memory of 4236	4828	Ecbenm32.exe	101
PID 4828 wrote to memory of 4236	4828	Ecbenm32.exe	101
PID 4236 wrote to memory of 1292	4236	Ffbnph32.exe	102
PID 4236 wrote to memory of 1292	4236	Ffbnph32.exe	102
PID 4236 wrote to memory of 1292	4236	Ffbnph32.exe	102
PID 1292 wrote to memory of 1092	1292	Fmmfmbhn.exe	103
PID 1292 wrote to memory of 1092	1292	Fmmfmbhn.exe	103
PID 1292 wrote to memory of 1092	1292	Fmmfmbhn.exe	103
PID 1092 wrote to memory of 760	1092	Fokbim32.exe	104

C:\Users\Admin\AppData\Local\Temp\1f04988c8e5520ca37d32f3325a00003ea4adfbadaafcc95dbafac19f8814b70.exe
"C:\Users\Admin\AppData\Local\Temp\1f04988c8e5520ca37d32f3325a00003ea4adfbadaafcc95dbafac19f8814b70.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\Dadlclim.exe
  C:\Windows\system32\Dadlclim.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\SysWOW64\Djlddi32.exe
    C:\Windows\system32\Djlddi32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\SysWOW64\Dcdimopp.exe
      C:\Windows\system32\Dcdimopp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\SysWOW64\Dcfebonm.exe
        
        C:\Windows\system32\Dcfebonm.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:792
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        28⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        29⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        31⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        32⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        36⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        37⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        42⤵
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        43⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        44⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        45⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        47⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        49⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        50⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        51⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        53⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2988
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        58⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        61⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2576
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        66⤵
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        67⤵
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        68⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        69⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        70⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2364
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        73⤵
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        74⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        76⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        78⤵
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        81⤵
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        82⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        83⤵
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3728
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        85⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        86⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        87⤵
        Drops file in System32 directory
        
        PID:3256
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        88⤵
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        89⤵
        
        PID:412
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:220
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        91⤵
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        92⤵
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:532
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        94⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        95⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        96⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        97⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        98⤵
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        99⤵
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        100⤵
        
        PID:452
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        101⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3980
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        105⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4340
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3440
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        108⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1908
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        111⤵
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        112⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        113⤵
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        114⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        115⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2852
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        118⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5280
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        123⤵
        Drops file in System32 directory
        
        PID:5356
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        124⤵
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        125⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        127⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        128⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        129⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        130⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        133⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        134⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5856
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        136⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        137⤵
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        138⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6032
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        144⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        145⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5544
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        149⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        150⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5844
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5904
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        154⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        155⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        156⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        157⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        158⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5384
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        160⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        161⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5144
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        168⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        170⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 408
        171⤵
        Program crash
        
        PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5892 -ip 5892
1⤵
PID:6104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dadlclim.exe

Filesize
224KB

MD5
e1d753548a76b70997ff0a2f15a3b78a

SHA1
62a8eb812b353c617e7e44440eda3d95105da8c5

SHA256
3ae514563ae0e6260bfd49d8989ac6686472f64764e4e87f5865db84f8d2d8a6

SHA512
6f709eea061235b3240407b76f2f004780b39f2046cb479ce55c8607b10af7c934251749cbaf18523e505aa959c00511f99a2bf20e3d4d293723787e2fb90460

Download Submit
C:\Windows\SysWOW64\Dcdimopp.exe

Filesize
224KB

MD5
688aaabb58b93ca6a2dc4be744c47da5

SHA1
d2d144594958b6d2211d6e23313dfe49a3dcb8de

SHA256
256203a6e3e78cbc2a0c19591d5293042786be1895d390237fa1d1da189c7361

SHA512
768c37ab2b5a01a31a10f9bd5761d4955ded0a647381aba1d9ba67187fd95a5de0ffcbd766b69dc77c9808da6944fef2bf08a30cd55d98a10d1bab1aa515c72f

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
224KB

MD5
b8c9ea29e506c4134408de9598ca657d

SHA1
23a92f548173b1bc45f73220d6b652f179136bd0

SHA256
958a2fc1aed26e159f2f01b14fd216d4de283023d18c21597d589b31c981a168

SHA512
e311102385723340571b7631e41aa2f1941d8d74d180fedd7952e0aaedd2294915be4dd436f7ad15426aa649848e2bd279a67e654b084763e1ca2293286abb66

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
224KB

MD5
2f27330903f76f7e3893056700fb77c9

SHA1
fc0f4f5c051f3595909a62fd3ab8837deae1ee42

SHA256
7b7c6eae438e7c621b87b3d3db2374e170ef689bb10f976c7289c2277da5ec31

SHA512
a7e58e9593a272a4c69229e07733e0b0673a2c0157c8ebaa73e18eb2aeedbfccca1c7366b691b95a31da5ca24a9f491107c81e4ee8769c1939e701344ea35ccf

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
224KB

MD5
07d7c867fe7b3e945dd2b5400b765034

SHA1
ef25a9e5b9f7d213d9405271b37b96c00e997b19

SHA256
955526f8b34b8e84c8901a7fb48ee7348ab55c263aa8bfc655dad4319f6b51f8

SHA512
0a1daf5be6c9cdd7c10bcad18a74940004aa8e0936e6116f30d4038ac2935686be894ab30d818d0f102eae8919692534a5fb3865ff021a923067b06367c92a9e

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
224KB

MD5
89d420f7a95a2ffcc7f3bfd60d7a4fea

SHA1
ddb2bdc01ef985f9b6620ecca95abf2be92c320d

SHA256
e6ba20eff3545a6acbc2a03b8ef67c19cd5678b89805460c76d60c43a1c0db66

SHA512
5386ef84fed35dcae3dac1beb970fd273f289b8f7ab76fc7332835fd366546f3a3706a0cf0fcd01c34aa058c6c19a4c914ae37a931499542aa5538e6be044c39

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
224KB

MD5
6a612d6a79861c218e021167657718a0

SHA1
7340babe73d80eeebc7980c8fa8a7b9a4120ebd9

SHA256
ffdfb4b4d0e80079da11564024f2eb42873a54914681c07084ef7f08ab49ae4b

SHA512
ad602385cd348c06f5a59984c8e095bc1da99ce942287a42dab3ffafd2a153e594a93e1faebd783ec535836a208b5da825bbbaea2dde57bbd3f8d36733b9f9cc

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
224KB

MD5
b5c61346ba6bf1bec87c62454e56518d

SHA1
a53f1b16ffc429bd27157a4021f8e50e7acd942d

SHA256
dddc2aefb565e71d51dc845b2b7265dfdc899a772aa281ecd8a762cc4ffe9f89

SHA512
423823a8d040e8c64840b047e1362a2b19c9b3420626d9236f6bcddca529c05d8961e95fdcacd036a40d203d4cc0b5fcb22b4de071fe1447f5f95fd819cb1ce9

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
224KB

MD5
cd49cadd9d4a1c28a11fe6621f9cb403

SHA1
8f35bc79cac540c78d2cc9eace5635daab134d1a

SHA256
457eec581ac39079f48816fb2896527f01acb33b1b818409f853e442f144abe9

SHA512
4460154e64ea805d86fb7673406720808ff5552bbd26adf364d6ca578b9d5626231cfb5e86c1bbfac0448a0ddfffc54a455cb4b70d8e17488dd850ee9f1faf8c

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
224KB

MD5
edaa33d790a27257ed47871234147162

SHA1
a6b6a46a689e9bf9022ac907be110ff516df7679

SHA256
cdcdbaa8fbff7af5bc21a0d7946873c57379200e16983cd1eb060e6955cda342

SHA512
0e0f5bc0ebd8a171593b2f48d2a6332d97d65efd01efa35e802617c47e2970b4fa4c95a951b9e548acb821004a1e9798b676d64cc43720f5c8818c788af92e41

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
224KB

MD5
0502e4f47e1fb113565609e9988fc801

SHA1
96a92cd41434fc4806b465c20f813953b220287f

SHA256
ad717bf2d598061dbd4f91c3c1c45b842eb5aff06c4a8cf5310e0024d2b527e0

SHA512
7e19bc03926b56e160f696400d297623889a12a6857b828ad0b5ec78c5746ec8ce78e6166b3fbb2b47637bb6bba2f943f066a83b31c97bfa2323b52eadf94059

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
224KB

MD5
c0ecdf78909c1c4fd539d2dc94550cce

SHA1
07f02d96ba6a19ef409b42e10de77c5c258f3b8f

SHA256
20c24adc1ef04ec43cefaa1b26e46273c8cb18970ffdf6df20f53f08754645c5

SHA512
eb8537567cdd4b68979d360ed3917b3a9acb6614cc08689b305e3614c8ad17ee9561f657c6eefb50eb0a3ea68344907945702054c4baca89c50d93248ff2dc43

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
224KB

MD5
3a9106cc8550ee45dcbc3c6064b71753

SHA1
ff51e89ee24fbbe0715f3eec7aad7bd926b55286

SHA256
ddbf968a7cccec3f48c1ea0f5a9f7cd3e0822570a06fbf2b3ee2d05ef4c6efa2

SHA512
10e7043a2c0a0a971f7af9b412c92ea2dd7eb8a9028aa711f75cc7425c945e539dd2437b83d0d9311144d5045b9981c61eb976c14e6b251f1ae3d5e02ce24a4f

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
224KB

MD5
6a981f2af54c648a874635523c870678

SHA1
c360a342144ac3d460a974346a26fce1e5dcf6d2

SHA256
2234d0c113a8e874686fc4cb51a4447b37c0727f2593d51f19ff5435c07c32de

SHA512
03d26082e330d79019f8676e487c0b6c85c9ee61d838ebf6d2ef06b4471f399628b4c53b0b6cff2f844d95e4e854c93ac3ddba0f436420634b8e7bc5bfb67b7e

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
224KB

MD5
a4dfc073a8921272240e98e0dbfb5369

SHA1
b28399f55f5b177d7a5f28b375d66042c864e5df

SHA256
37604cbc403e03e83aaf6e87ff44a3fae42a793fa626b4c86b6cd64fadc4093c

SHA512
1323db9066cc500d2b000f466b7d10b8ebfdfc262ed2d0dc155e2bf1e6857b59aaf5fac186449cd27946e04868c4065aeb6b488c33a26423d6dac549777c3f0b

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
224KB

MD5
51077d657531bc6242f8ad5f4a092279

SHA1
0c630788b21bc0140e3e16f9471f68cbb1bb2647

SHA256
f6e800ed7ee13f51b75ea69e73217115920845e3b46d557df709f1b2f1d91483

SHA512
9fc7ea10bfe5124449344d1e5ebc901827db4aaa5254ff9ee2abd7c983e8a69245971fa712ae2ed079e25bbc029793c0c203457158af4ce532b04db8ce49ad6f

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
224KB

MD5
a789469dcffaa84d6e006beb8cc30153

SHA1
cdd78bf75043c9f23ec0077c88e26017a437868a

SHA256
52aaf636c3bff08e9a6a3365f60aa3ca229101b7eeb97ee9b1b077d6f5950525

SHA512
1b1f3e3e2ab34a147900d1416332e2f1e3f833eaf1458c8d4ae9614a3368b012667bb3fcfd3dfb0802f18971c7ee7b58d897913e41150d9295b1e7a88e27c681

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
224KB

MD5
2d0a58def77f13ce7f263f669b9f1968

SHA1
88970d812036fd7cdca20aa85f2978112d38d148

SHA256
052cc6fcb6bd25ac4074669bd8d0d16b075c35d581efd9f8ebf4eb2d07932207

SHA512
9d559ed474cb44ba659cf25858112f53e25d45352b657302c35922addd8e2de665aa883c4e9204c8ce144b7973fdec5c545c537fd499554d530b9cb41620411b

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
224KB

MD5
9b0168435535ac6dfbb1e39d4500ebfd

SHA1
ba2dfb5c5365e14a88302d8585f65e528d359dbd

SHA256
38368d64ef5c6a3f9a31f090033617e406aaf693846a85a21a41bcdf8005abf8

SHA512
aac53420effa6104ac4e479b8e568c4b7abb923b998fd5036f5b8004355d9ee2a46db69ef9929ff938b3c2248be80fe39614a45ee4aac016fe391c2642010264

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
224KB

MD5
8b90d37fb3f3108ffd3a41c00c63b896

SHA1
52987ad095445094ba08b2b68ba039c0856729b0

SHA256
c83c01215d2ee3f818b78b4db3f1bb73c706d355af8e3cd011fdc5663dd606e4

SHA512
9924976acc5a29a50bde284e7e927f52c8a2d3da8aa73b69b16d0cadb3f2e5c106fd79c83b9c8c92f269ab7f84e5619d73fd247dc19ae56bcba2c6ca2846ca13

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
224KB

MD5
9f963701fbb2b1c1178172b20b71b9a1

SHA1
671df7e536c0f35f4adc956f003e43220d1146ee

SHA256
ec0ae35a0868ac345c4c42e9b01a9f51a1561e87ce54ea1acaffdf6abd1031da

SHA512
2ccfba31f540bfc3dc4798c6b5b9fe06126a1fdd904bda030503541f354756ffa2373b7f42c0a6902423e64efc46a3ffc855b4d6cb5c7fcfaefda29ca307c701

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
224KB

MD5
5ceed37e5a40e09c4aec63fb7e8c0c38

SHA1
47aa7e3a71b983eccfd398cdfdf7ab59617bca4c

SHA256
1e7786534420b519ffe20e1c457e177b9fa858ea437cd2e51d1f8bdeb298a473

SHA512
b2dfe4dcfa34d47418f11ffd6077ad78f86a54764b7606aeb037323ebc0a6b88814dd4a42efd4790b9d9403909bb2eb3c892d7621ff431b22a0cccaa2d0872b3

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
224KB

MD5
2db62468018e89e971d3280a08ef7675

SHA1
b02107afbb0a00416d37e7974b946699163fa0d0

SHA256
f1d927dedc677b4774b96d037047879e924980999d560819f2a8bf2d5a3dfea5

SHA512
04fb0c0b55f7189ce7028966241e41babb9ae00338e7fc14946c962084e463731fcf4266e3779e33712a2330234087cd335fec9328bd41c15712778445afe312

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
224KB

MD5
f606055e3850584121ae556e9115b37a

SHA1
67671fe6258be8fda6ad2d982a71df79759d9b29

SHA256
d9b005d5b125d322a569a62d6bc0c6859babb866c2a7be8fc0eaf10da377ba0f

SHA512
755aeaf11c586606e9e081e70094778d4a4acb66d917589d6175b0dd3eaeadd209df52f00f97d6cb58f6f82ccb0e3309fb960987d162094293fda11969fccc3b

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
192KB

MD5
86c9deecebef617b144276d03656088e

SHA1
c1364d7b03b33a33ca287b2e7a9132cd888c0330

SHA256
643dd48a3627471dc87285fd369bc028bed308acc5e0b55ae3f4b9667f64be19

SHA512
ca9e8d0ec7e6a87df2f8c1bf00b237f101818088a6fe084167fcb94b3760bb7e6eb8e8468b7d27d88f0b5f1a2ca0eefa4f3d54f5b237fc0e69e409d7c74c9fec

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
224KB

MD5
9cbe37c0795420b56743587b32b88be4

SHA1
5dc14ad922069182575855b22aa8891db0623239

SHA256
f4baf72788866215262236303ea3ffffdb2679f4951fa75a668feb8e2d01d094

SHA512
9d8b0240935e147ef87af98e9e0df75caa7ab6743b89126be9db249b795e79def2ee64114349c7b370a6b499ad3b241a39b6168322a52e8c3451c7345f1a438d

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
224KB

MD5
8f090c6147199e069c950ac85e71ad85

SHA1
5b5dc08926f4d9887aa59cf8bc9ddec6959bcd8c

SHA256
71dca391c3c830cf4cf845aecf15b63318ea54ce8a7a99274cd373ce5478902d

SHA512
251946767f6bd3981d2b1c979f6b217a0660d964c13cd0139a6d0afdcd6be677eab8f56212636f0d2ca01b3d7c64cfd0b2e71dbcf6f68b97c4ff56e160bb56bb

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
224KB

MD5
791a746398631f3f4d0cca9361808e34

SHA1
5cf19e805d61cde67276dcf928ed8a02d3d46a48

SHA256
ae1ec3dac88d9e62419db70fb2f12adeeac19d5cd5fe7fb1ef309458a13e49c8

SHA512
4cf61d592e068184dfcbee38d7fe4aa9cd33b51c2ec726dc6e8cd5aa0807df8f9ab8110c4c1b8bf6f9202701b52623f31cbe302f0221d6ed10ed22e8d6224ef2

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
224KB

MD5
fa33b2363b1f48e0e25d9d51791b2497

SHA1
d14e43aaa085c9e7d5f091e734d09c4bbe1a1cad

SHA256
4234401528e92ed124ea32b7f11ec884d384997f2cbd37dfb70c6fe81ea97d86

SHA512
7385b0ad94221f31d5eb3af0385dc798b36088e38658cd5cca713cb99e021d100281958f1160a3d71dc1eaa2c7abffe66735904bb00f1dd134dcd71ad1d0fbbe

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
224KB

MD5
47bb9d1ca67edcab4f0553baea67ca6d

SHA1
4e0bdffa88ca2572dd28cb2186d4ae73a65ec15f

SHA256
2d2b353a8a6f936aed113c8bce637772ffad4fd3070746e0cfdf85f5597eb90e

SHA512
94af5faf40f79eee6d48ad418e0a8b11faa17e8b2fadfc77850aa41144bafa8ac8639f19ce80dade6ed1a04843060ce37b7b0358724ba9599ed4d9405e478538

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
224KB

MD5
24af0b4b4389607e79e8303aef779280

SHA1
0347b0253c3e64fbd40781bc54d08e0e97db6e84

SHA256
2a1b2e439d0b9c3bad52573845c88c2d8117df8aac6cf8a4f89ba5830a5b6472

SHA512
bc9fa8ba1dadf7a1d8afb9a1f1f90567715164dfbb12b9aed938e13b5fa433c9920b6393931f42cd4d08cd3308370bc71b209bb43b2a7531d311659b19b26135

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
224KB

MD5
a2309f7c95efb2d9394c4b7b373e9fbe

SHA1
ca62abb1002c142c1082384e314ad6a639a354d6

SHA256
0c43e2993ea64af5967eaee676760bbb22cef7581bfa3625f09ffd91b3077bb2

SHA512
5db2ea42d796d8694117366509d215c0a7866b4c37c19c9c0c51e12da41aeacff59d212a73002940367c72b3d8582af60c309358a43435e578f7edc97792662f

Download Submit
C:\Windows\SysWOW64\Gqdbiofi.exe

Filesize
224KB

MD5
06161f19e5773540b3bc8f620be01925

SHA1
b5f11b04b0032b543648d22df28d1a3476d1380a

SHA256
fb4768fc8688d7b7469bd1bb53056df8774fcad2e6027229d5f0bbdba4bd845f

SHA512
26e6d81f40a330bcd11944bf9044e306368ab54dfbcfdf98f97fca5cf88b8430896bee3a91b0949fe92718e5108965044e74662bf23c144053a458bd657e5299

Download Submit
C:\Windows\SysWOW64\Ibjqcd32.exe

Filesize
224KB

MD5
0f298e2e3364608ad69d08b80eb8de1e

SHA1
07fd48061ae8d446ec4e82d4ab16d242985ccd11

SHA256
064fec9479931eb08ddd5c757489048b1ff8e1990c2d2508fdad905e13387f5d

SHA512
31cf631cda4362ddf04ab4956ae5ebc20ebf8fa638f026b0b04f23b98b03cd6b86c9ba2d6dc92e683a4ccf18ee1c4e6fae6f559ec2903d7ece7f2c207a13bc2c

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
224KB

MD5
e52b0abf78eb5ea7745813efef6cc278

SHA1
2d8af39dd13d11c7c457d1279216b018cdaee71b

SHA256
90b4ff3665572f93acd5e9c5041a7f857fbf8e79fa1e3b8c3ee83f035f290a9b

SHA512
ca206405370af9643eac14938a0edadcc86c7f4f09bc4639c01eeb5c9104b2e7d55fa4505dd0b1ba8b40816411db2fef8a3a5e064981875c097d33c8d75c63fd

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
224KB

MD5
64a4f03040b7f873da7314a72ce41686

SHA1
49e9ec5a02b16cd272b3af60e39b8cb61e3b0199

SHA256
f28123590e05e8020d704d4150f4c0529e64d795ae2acb7e8061e3040cd3f519

SHA512
a6be817914769784c64c0d8ddbbc0d9b5493c5d2a838f34298397d7eaa2624e6d37a1a0adda43efc1cf25bd404fd6222e23ee6fce25ef855079ec85677a141b5

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
224KB

MD5
7ccc395d9141f8fa87fab766026ffd5e

SHA1
3aea1c2e2e17f309492ec1c1d573cdab33b7e22b

SHA256
857ae08f0e3bc9acd43c83729498baa68b1a81486d66edc2bd0e0c0bce84d3bc

SHA512
a96d3b24fe0b93843607ccf67d2dd2c4c1f11cdebd5b0c368b6d9efd0c9f4170a12929ec939b498a2e754c39792e22a3d32540356b5d272ecc156d12078e6265

Download Submit
C:\Windows\SysWOW64\Kinemkko.exe

Filesize
224KB

MD5
88880716307f4951db50b6eac7595066

SHA1
170d46fc99810cdafa0e28a8399289c7497279a8

SHA256
d0647509b287f64433b7518a727ea4760e586682be188e1c770d77b31fc3a20a

SHA512
4c6a59971810f39e481e5cc072a504fc13b6c8915308db727e7228af4050b029c720740c4d731d4fbc2f8b80121bc5c0eece38a39d390a9b07fe619a67c32d93

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
224KB

MD5
ffacd0bb6f7bd748eae40b6278ff7f60

SHA1
e10e3baa18abc8fe265109cec0cc8fee6e63074c

SHA256
a973ea68b0ce1caf9cf6325dc43f78b60ebad50da90d2c406249d197d1c5965b

SHA512
f51768c0835805c29709bfeddcf4cb7426d73aa7ed1556f18018db82cf434df7156dc355539c668188dc2cfd80fcfbbf4111a53c12c76701472e565fca32563a

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
224KB

MD5
dc1a3942e2597b8fb24aa63c45da40b3

SHA1
2d92e6aa88eaffba4fab40490396239c0fd0c0e8

SHA256
cd5ff4ba3ff350a953a01293ec05c1d0ed8512a1a5301d72809cbd5ff6874239

SHA512
70957b48452390122842ff2f839aba231e6323349a3ef32b6bd996338497ce51dace5189829a70788f905a169dddc592c394df7cd44ab9001a4663accf5afabe

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
224KB

MD5
fd9d9e4ba7f7afc56bed4f6aaa50a959

SHA1
a69d653bb9d5d1bb5f741480b188120da548d151

SHA256
144e7956efc65e4757eb89efbef546708e2a22db26b436390de04c785fbcb529

SHA512
190dd1e1cd417c7d025d5f3f03b1547c18f0c8212574b7728c001e6ccdfaa555cc385140c7f215f0de5918459425e2c324bbcba19e36662a3cafc93c40cdddd1

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
224KB

MD5
43ffc1419c258d3be953d30680f3d5b9

SHA1
6ff81c73e0d86582756e7d19a68c4181436ac498

SHA256
11da8acdc98ef70f10feee7474feb07b30ecf871cfaacdd0182c4d82166b721e

SHA512
e3d7cbde37397453f4a328e19557da1158d54f940d3545ab596c4b0b5a19d6317ecd8c0d07dcaf8ca22947114e24290c2195dbf7a1d3c4a4f58c04c175e7ad58

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
224KB

MD5
95c6ef984a52d2261d3f8944f97ba90f

SHA1
0424e634d0feb29dfcb31da64e3138aab5e395be

SHA256
421d743b8e62fc955197ace6be02573b7ba4c048739883ab17afbe6655eeebe2

SHA512
a96eb065375c12a308142fe2102784baf7c2dc4a60b7556ce3c01f86264245654b2685e4fba6a71bc31d1573869ae51f3d08669fcf5128f3e94e746e6cdefd09

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
224KB

MD5
dead88c46c287bd5327a38ea76e1d34b

SHA1
f94f3defce7f33b8d0aa3027a67d508754b63939

SHA256
8be4dc5b551b53cbd58ccb9bcf77a631d5d9ca1507eff62282ca4a586d177adb

SHA512
0cade79ffcae2433cace09deb2080655fca18f400d866b8dbdcf5093f7f0a2a43d72b7ae94df32ffb55155d4b244226f0f0ff35d844a08dd5db696d0d71c6aef

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
224KB

MD5
397d6bd0ec4a720069e59d07274b6c13

SHA1
9e5ad7bfbbcbfa5ecaf6550c5096c522fbd365f9

SHA256
abb6a09b24380e5c789a56c12df475feaf40ab57c55b3308ea351ab228dc3bbc

SHA512
9452c30acf1ad34ef2209f8515e62e9aaf5547c402ba0fd1154a94133ed2701c70a61b3a6188d8caed2e54c69a5029ced014f24354f6f508087a0364769e950f

Download Submit
memory/232-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/760-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1092-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-296-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-272-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2508-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3992-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4236-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4976-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5144-1177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5940-1179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads