328c4165accbe1a23cfe28feeb3742959d1be417a7aa8fc385ae16e545a1da26

Analysis

max time kernel
92s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

328c4165accbe1a23cfe28feeb3742959d1be417a7aa8fc385ae16e545a1da26.exe
Size

368KB
MD5

18a3c249b719eaf461e177961b505198
SHA1

fc2dff4b5c88b996aed546e8649a9e2108bf1fd2
SHA256

328c4165accbe1a23cfe28feeb3742959d1be417a7aa8fc385ae16e545a1da26
SHA512

3490a4bb2e3de2c6cefeeea13ff55936a2a1f6f0006d8960f468201e6fd8a27ffe8a75e63ac5c74c9b958ec76daa071ec77bddfc8d0c8b94b1dd8c8a9779c8dd
SSDEEP

6144:YH3cqockH58E4f9FIUpOVw86CmOJfTo9FIUIhrcflDMxy9FIUpOVw86CmOJfTo9t:OOpaAD6RrI1+lDMEAD6Rr2NWL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Efpajh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	328c4165accbe1a23cfe28feeb3742959d1be417a7aa8fc385ae16e545a1da26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpihai32.exe

Executes dropped EXE 64 IoCs

pid	Process
4184	Eckonn32.exe
4632	Efikji32.exe
1816	Ehhgfdho.exe
2312	Epopgbia.exe
2388	Ecmlcmhe.exe
3592	Ebploj32.exe
796	Ehlaaddj.exe
4876	Eofinnkf.exe
768	Efpajh32.exe
2928	Eoifcnid.exe
5080	Fbgbpihg.exe
4808	Fokbim32.exe
4524	Fbioei32.exe
5112	Fjqgff32.exe
3160	Fomonm32.exe
2808	Ffggkgmk.exe
2952	Fmapha32.exe
4600	Fbnhphbp.exe
2308	Fqohnp32.exe
3860	Fflaff32.exe
552	Fijmbb32.exe
3500	Fqaeco32.exe
2812	Gbcakg32.exe
4068	Gimjhafg.exe
3308	Gogbdl32.exe
740	Gjlfbd32.exe
2940	Gmkbnp32.exe
968	Gcekkjcj.exe
3060	Gjocgdkg.exe
2376	Gpklpkio.exe
4352	Gfedle32.exe
1388	Gmoliohh.exe
1032	Gpnhekgl.exe
3336	Gifmnpnl.exe
2832	Hfjmgdlf.exe
1652	Hjfihc32.exe
4916	Hmdedo32.exe
2184	Hpbaqj32.exe
5076	Hbanme32.exe
936	Hjhfnccl.exe
404	Hmfbjnbp.exe
4476	Hcqjfh32.exe
3616	Hfofbd32.exe
3532	Himcoo32.exe
624	Hadkpm32.exe
1224	Hccglh32.exe
752	Hfachc32.exe
3056	Hmklen32.exe
2924	Hpihai32.exe
3956	Hfcpncdk.exe
5072	Hjolnb32.exe
408	Icgqggce.exe
4236	Ijaida32.exe
3708	Impepm32.exe
116	Ipnalhii.exe
3960	Ibmmhdhm.exe
3004	Ijdeiaio.exe
4168	Iannfk32.exe
2016	Ifjfnb32.exe
3872	Iiibkn32.exe
4080	Imdnklfp.exe
4364	Ipckgh32.exe
3520	Ibagcc32.exe
848	Iikopmkd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ehlaaddj.exe	Ebploj32.exe
File opened for modification	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Eoodnhmi.dll	Epopgbia.exe
File opened for modification	C:\Windows\SysWOW64\Ifopiajn.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Fmapha32.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Fbioei32.exe	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Ipnalhii.exe	Impepm32.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Ehhgfdho.exe	Efikji32.exe
File created	C:\Windows\SysWOW64\Fmapha32.exe	Ffggkgmk.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fomonm32.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Eckonn32.exe	328c4165accbe1a23cfe28feeb3742959d1be417a7aa8fc385ae16e545a1da26.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ifopiajn.exe
File opened for modification	C:\Windows\SysWOW64\Eckonn32.exe	328c4165accbe1a23cfe28feeb3742959d1be417a7aa8fc385ae16e545a1da26.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jfffjqdf.exe	Jaimbj32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Eofinnkf.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Fjqgff32.exe
File opened for modification	C:\Windows\SysWOW64\Gbcakg32.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Efikji32.exe	Eckonn32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ppgjkamf.dll	Efpajh32.exe
File created	C:\Windows\SysWOW64\Gmoliohh.exe	Gfedle32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5412	5620	WerFault.exe	230

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	328c4165accbe1a23cfe28feeb3742959d1be417a7aa8fc385ae16e545a1da26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cniohj32.dll"	Eckonn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jigollag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmbkmemo.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamagmq.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kpjjod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jdjfcecp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	328c4165accbe1a23cfe28feeb3742959d1be417a7aa8fc385ae16e545a1da26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfpoqooh.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hccglh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4184	3968	328c4165accbe1a23cfe28feeb3742959d1be417a7aa8fc385ae16e545a1da26.exe	85
PID 3968 wrote to memory of 4184	3968	328c4165accbe1a23cfe28feeb3742959d1be417a7aa8fc385ae16e545a1da26.exe	85
PID 3968 wrote to memory of 4184	3968	328c4165accbe1a23cfe28feeb3742959d1be417a7aa8fc385ae16e545a1da26.exe	85
PID 4184 wrote to memory of 4632	4184	Eckonn32.exe	86
PID 4184 wrote to memory of 4632	4184	Eckonn32.exe	86
PID 4184 wrote to memory of 4632	4184	Eckonn32.exe	86
PID 4632 wrote to memory of 1816	4632	Efikji32.exe	87
PID 4632 wrote to memory of 1816	4632	Efikji32.exe	87
PID 4632 wrote to memory of 1816	4632	Efikji32.exe	87
PID 1816 wrote to memory of 2312	1816	Ehhgfdho.exe	88
PID 1816 wrote to memory of 2312	1816	Ehhgfdho.exe	88
PID 1816 wrote to memory of 2312	1816	Ehhgfdho.exe	88
PID 2312 wrote to memory of 2388	2312	Epopgbia.exe	89
PID 2312 wrote to memory of 2388	2312	Epopgbia.exe	89
PID 2312 wrote to memory of 2388	2312	Epopgbia.exe	89
PID 2388 wrote to memory of 3592	2388	Ecmlcmhe.exe	90
PID 2388 wrote to memory of 3592	2388	Ecmlcmhe.exe	90
PID 2388 wrote to memory of 3592	2388	Ecmlcmhe.exe	90
PID 3592 wrote to memory of 796	3592	Ebploj32.exe	91
PID 3592 wrote to memory of 796	3592	Ebploj32.exe	91
PID 3592 wrote to memory of 796	3592	Ebploj32.exe	91
PID 796 wrote to memory of 4876	796	Ehlaaddj.exe	92
PID 796 wrote to memory of 4876	796	Ehlaaddj.exe	92
PID 796 wrote to memory of 4876	796	Ehlaaddj.exe	92
PID 4876 wrote to memory of 768	4876	Eofinnkf.exe	93
PID 4876 wrote to memory of 768	4876	Eofinnkf.exe	93
PID 4876 wrote to memory of 768	4876	Eofinnkf.exe	93
PID 768 wrote to memory of 2928	768	Efpajh32.exe	94
PID 768 wrote to memory of 2928	768	Efpajh32.exe	94
PID 768 wrote to memory of 2928	768	Efpajh32.exe	94
PID 2928 wrote to memory of 5080	2928	Eoifcnid.exe	96
PID 2928 wrote to memory of 5080	2928	Eoifcnid.exe	96
PID 2928 wrote to memory of 5080	2928	Eoifcnid.exe	96
PID 5080 wrote to memory of 4808	5080	Fbgbpihg.exe	97
PID 5080 wrote to memory of 4808	5080	Fbgbpihg.exe	97
PID 5080 wrote to memory of 4808	5080	Fbgbpihg.exe	97
PID 4808 wrote to memory of 4524	4808	Fokbim32.exe	98
PID 4808 wrote to memory of 4524	4808	Fokbim32.exe	98
PID 4808 wrote to memory of 4524	4808	Fokbim32.exe	98
PID 4524 wrote to memory of 5112	4524	Fbioei32.exe	100
PID 4524 wrote to memory of 5112	4524	Fbioei32.exe	100
PID 4524 wrote to memory of 5112	4524	Fbioei32.exe	100
PID 5112 wrote to memory of 3160	5112	Fjqgff32.exe	101
PID 5112 wrote to memory of 3160	5112	Fjqgff32.exe	101
PID 5112 wrote to memory of 3160	5112	Fjqgff32.exe	101
PID 3160 wrote to memory of 2808	3160	Fomonm32.exe	102
PID 3160 wrote to memory of 2808	3160	Fomonm32.exe	102
PID 3160 wrote to memory of 2808	3160	Fomonm32.exe	102
PID 2808 wrote to memory of 2952	2808	Ffggkgmk.exe	104
PID 2808 wrote to memory of 2952	2808	Ffggkgmk.exe	104
PID 2808 wrote to memory of 2952	2808	Ffggkgmk.exe	104
PID 2952 wrote to memory of 4600	2952	Fmapha32.exe	105
PID 2952 wrote to memory of 4600	2952	Fmapha32.exe	105
PID 2952 wrote to memory of 4600	2952	Fmapha32.exe	105
PID 4600 wrote to memory of 2308	4600	Fbnhphbp.exe	106
PID 4600 wrote to memory of 2308	4600	Fbnhphbp.exe	106
PID 4600 wrote to memory of 2308	4600	Fbnhphbp.exe	106
PID 2308 wrote to memory of 3860	2308	Fqohnp32.exe	107
PID 2308 wrote to memory of 3860	2308	Fqohnp32.exe	107
PID 2308 wrote to memory of 3860	2308	Fqohnp32.exe	107
PID 3860 wrote to memory of 552	3860	Fflaff32.exe	108
PID 3860 wrote to memory of 552	3860	Fflaff32.exe	108
PID 3860 wrote to memory of 552	3860	Fflaff32.exe	108
PID 552 wrote to memory of 3500	552	Fijmbb32.exe	109

C:\Users\Admin\AppData\Local\Temp\328c4165accbe1a23cfe28feeb3742959d1be417a7aa8fc385ae16e545a1da26.exe
"C:\Users\Admin\AppData\Local\Temp\328c4165accbe1a23cfe28feeb3742959d1be417a7aa8fc385ae16e545a1da26.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\SysWOW64\Eckonn32.exe
  C:\Windows\system32\Eckonn32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\Efikji32.exe
    C:\Windows\system32\Efikji32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\SysWOW64\Ehhgfdho.exe
      C:\Windows\system32\Ehhgfdho.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:796
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        24⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        30⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        31⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4352
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        33⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        34⤵
        Executes dropped EXE
        
        PID:1032
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        37⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        39⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        40⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3616
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        45⤵
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        49⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        58⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4168
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        61⤵
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        65⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        67⤵
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4688
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        69⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1496
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        71⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3804
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2732
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        74⤵
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        75⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        76⤵
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        77⤵
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        78⤵
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5040
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4056
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        88⤵
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        91⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5492
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5540
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5668
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        99⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        100⤵
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        101⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        102⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5932
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        106⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        107⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        108⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        110⤵
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        113⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        114⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5652
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        117⤵
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        118⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        119⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        121⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        122⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        123⤵
        Drops file in System32 directory
        
        PID:672
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        124⤵
        Modifies registry class
        
        PID:5256
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5692
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        129⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        130⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        131⤵
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        132⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        134⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        135⤵
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        138⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        141⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 412
        142⤵
        Program crash
        
        PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5620 -ip 5620
1⤵
PID:6072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebploj32.exe

Filesize
368KB

MD5
07ee0a3cf09c5600293f5f3addd81e6c

SHA1
a40e6eb315f119c6f547f70b156a182d2f172bff

SHA256
62f2180e031c95dcc4e4ddfe1c45af744f0039e80ea94f1ea10a2364f9642461

SHA512
aaf5d57202bb8273156bbf9fa42447e050aa0cfee4b1835ba8f68fe942f4968e602384380e50abbc50336ac3ca39287566c0a9c29b4ada1c30283ddb8c442890

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
368KB

MD5
a2a8631c07047bd9177c80c5e974324f

SHA1
4bc3be7c8303cf91d89eb40d16ca87199414ed07

SHA256
1bf5e8e9b96e5a2995c7ed5bae8b8c5486f23e702c73a1cb856e3edfdc205124

SHA512
fa888a8690d7fc0abb6540ea8f164e92bc5b6f4a5a1e81ad5c6695df944f083654669ccb335abfd2fdab402d4df639396a3ea5e16598fe0540c8aef3aa0a2dcb

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
368KB

MD5
777ec69b2eb0d83b18d70aa264b77b09

SHA1
71db202b53fdfcabc71c23f953d29c4336592368

SHA256
ce8a8f2dee802c653d04ce2ec40c44e770b6db2c095e57aa7e03300d91914a51

SHA512
9dec0d7b895000d99777889b0ef36947160124f7e887d0bc1beafd83534e6aac3198fa420eaac5456f04cb74116b1268e6f613b4307f34a7cffcb2113404c17e

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
368KB

MD5
30127cd9c451de8784e413d6de59a23b

SHA1
d24054b3c41568e7b61a0bf0409ec65b57b58b8a

SHA256
03147664c9f4782d98ca34a1973088666a044cc7b5f33941af1fa0a5daf03ec3

SHA512
de0e0d321504b7f416f45820209779f7003d4bce5b8a0f12d08f37c3ded78172448d7f0fc9ee5511489f158a48d3307c48f0f7206468b25c1e748781ed79a72d

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
368KB

MD5
78769117f4cda825c55cfabaa3417702

SHA1
808c5e9fdbf09596f8877ecf309104e8d7db9d69

SHA256
5adcd9ca67e84a83ba54071e8bf659325f9803f722ec6384df2c539419736336

SHA512
24be8947d065b2e48c46a90e549db7e5b4b6f229936a71bc8864a897fa870e4d3e0c19474af0e0893f36f45c1587c4c1dc4a64a2a6402ca22fecf2e0dcdb4312

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
368KB

MD5
7249e845622033ce9366f9c39170677b

SHA1
aaffeb968e418e69c896298a52937ceb1cb6dd74

SHA256
1e4e14afabaeb94bb3b9764bd1125ce8dc5e6b3e491fd084b1a53d112604d82a

SHA512
b58cbbaf9334d13115cf87d91e8696b366ef94107c15cee9cc347d7d98e589f68635f8567071d7575d4bfab6206c62fe0ae536f3c4fe32129d1df573d60da9b0

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
368KB

MD5
aacb66ec7eef0a717edbd4aa105f26f8

SHA1
7d0fdc176919eb4b99ada098b63056c6784a4181

SHA256
72303b922de564b5a54b1f323d8f5ee31ef9760bf9128fbd3e52b6c5b94f924a

SHA512
3965801372b492429eb89de0db432dba61b64ba1756818028eddc7c0d07efeeb1d0298dc404cd46b466c4b0d802abadd3d49c69e4b05fd1e4ddb4d6db6dff27c

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
368KB

MD5
3fc9e16e83ba8e91c1b683979f632c77

SHA1
7f6984edcd86622fb64948c0e1638bc373eac05d

SHA256
afdad04d13c283e18db951aa7794234505f68633d2eaacec3b22724506482798

SHA512
35811939ae4bb26ae699040826509a7bc97a5de7538ab027c647fb1e4c997684e56e622060a0caaa885f289fff3799325200caab6a2801f5002a9c9b373884f2

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
368KB

MD5
9c1314a6a0a6569c8331d852baf7b435

SHA1
a3f2b5501f721c18091213e4643271ca52ad5baf

SHA256
2572eb8ef95f0714a288de2c18de7288cea2e3f32de374e8fd5d636fab859722

SHA512
af8685420d178d4335e10171b192d6897e2569f508033bfa3384d431ce325e0f00a94670c864df82f87ccc81dd8884ea6d342ca09a8970b9b12efadb10582b97

Download Submit
C:\Windows\SysWOW64\Eoodnhmi.dll

Filesize
7KB

MD5
be94038599898f29adc1f8bd2f6b01ef

SHA1
b529e48cac4568a73f68fb9a1c81e555b8007ab2

SHA256
1cade1c6898ac2b2be85690d09271e1b010c3d59406575688b706965de03c364

SHA512
171ebdf4b1f0e8debe4d2ec42f1ad83a3bf6c0c344ac1d1be8f4cb6aa41d5fb78851516e5c33a66302a9032bdc50b74741cceeaca2ac7cf5cb0e6780b9aebaa0

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
368KB

MD5
828dcd25edcd8c04b2c5b20051f5d29a

SHA1
21189a1f1338d89ae645d454d86a9357190a94c7

SHA256
02a31fd5e21e96dd58b6710511f3a7fb886f666daf0993e378631d739f6e8d9d

SHA512
b27c145cf1d42ec9ce1a0b471850953fdb35c196ce500174fcaca074910309e50ebaec51f5b75b937f08dacb5d3a77494527a754bc03ae56cf63303a36d775c4

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
368KB

MD5
18fed699f78da7779c4f987929fb7b86

SHA1
5292aeac475a9367aab1dec322230afe55d8857d

SHA256
5df0765d1d457c24ce85ad9dc95d565abb1fe64d9d31c6a4f4aa3cd5e22cf612

SHA512
fa25ab754cce5477f82a0b3f018ace251c895ed3d7d33ce077cf80e694117beb657f6a2c4421359c6fb3e32be8ecebf6e9c5826927a24c68a09987e46ec9c8c5

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
368KB

MD5
e342c0f5300b45b96f1223b39fd5f5bf

SHA1
05c1cd08058a628d575a545aea87afbd4f03ba1c

SHA256
c29b6f2ab960826a5776eaa98498d3c3116d8e7fcaf568486124977d9fd8c4e7

SHA512
2931cf512bdd6658213b027a1d7b51e115c5c594883e5dc2f28990d61678574b9f1d9bf73a7ecdb4b6e1972bc9f648a2f8a97b8a3f9b5bbc3de5a2c2d360efdb

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
368KB

MD5
abe6dec390a17e8ae4fbc0148f5cd33a

SHA1
cf265900dfb46fae81c2e121d05a4582f86d8cf9

SHA256
e978bf423c7c6825c3109f839bb7221c2a6fd2d029deb6dd4c368d15cc562787

SHA512
0051cdbb568c4555406d7a0c5c14ec32b223c0f09788f565a4446c05d6c845dc38e11ff5e442e1a48b0d0ab9f8bf3b2aacf7df6bcb8dbe3cead3338f5ed534cd

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
368KB

MD5
d422284d4b34d2a2754cc6ff242aafd3

SHA1
8485cee1f4bb56dedb527e9bf0b39bbc7c8343b6

SHA256
4d8847b6d060a65ce891934ace51b5d243b2afbc15f637d855aa77fdfed62e65

SHA512
4b996e03e828fc1277ad4e8cd49be83bf03d02b1cf9fd1a63b7fc430cc1a6d4881fb96c3d1b09cc62160bd3a819e453228b210c8d4631dc95f3cfbde7dd3d124

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
368KB

MD5
56127c1d7e96a8b90bc703e685879d29

SHA1
20ad4290a001fc88152384d44426da6ddfdf260b

SHA256
ad15a9a1bb1630612bb97a1b24acc246a0065fdb36f2f1808d509827d85030ef

SHA512
be82ba87134dbb9d4564be5131f7899d044d5744ded26c1074ecf0d3d3b80d77f8479492362a47d49480ee86209895a94dc15c9e019c8260edaa24d3bb30ab9a

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
368KB

MD5
b5d95c25b14876b05815ac40606828a3

SHA1
db7419518f3d446cb8e3238a5e688feee79fd33f

SHA256
650628c5590343a6aede91e452ce74a76e859a15e842092778eba6eb54dfd852

SHA512
a89e40b55c0a3d1a8ffd2c9a3abec7ad32ded19157b3d914f5aaf25f513660e9065930b1b07a49a9473e5df8477eae3901e1500050b0af7ca69858a323fd696f

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
368KB

MD5
90a2170f2d963d6de64cd52882bcac5e

SHA1
6aaad3587a1d518fff53911dd2b3ac4c594a022c

SHA256
d86aabb66003df1ecfe948b8bfdec6435e2ecf5df8c0fd6bc956111575114d95

SHA512
bf210c7ed08fe055f2e7d87ee2ecbdc058dd98d19acbe3b6eb329295100af5071d386982647404a8ae8274bf603145578242045b479035c4379536979303e7f7

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
368KB

MD5
60374c758e3897ec4cce5ca25ff06a51

SHA1
ad1f978e23bb129e17df5b4c51d5f7239a1929bd

SHA256
794a010e69e9e5e2b9dadc4bd462673b2368f7f7ce69f825d7466a0e37c7542b

SHA512
5cc13e3a38b21891f346d160e5cf40541368aeca304b01ad4163cf27fcb1b425db4392136f940cf9e9245c50381659647e00c4f779e057054c3759775412bb0f

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
368KB

MD5
5c783f28aec9ff10d3b461352c1a1b86

SHA1
6a8236c702eec2e7239bf8926142327bf505703b

SHA256
86c23706eb1f57b04279c0615386f45a76ebb716ce55b27500a15c4abf21bb4d

SHA512
3bc5aaa276e40a9a4f56d8b14dd1bfee1a62a2e62beece476ef1348168cb71dd977c1f974a33bc027dd97323abe970afed8756cf976c666d4e027f06ce88c117

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
368KB

MD5
eed0e9b3c146f6682e0e6260a753ae6d

SHA1
f457c0ab332dcb5b03841e704a95ddad41273f40

SHA256
b80ebbde2c4a66e076ad4bd09f18e16c5127fc5f9724e5975f160aa98e6bbec5

SHA512
4db4fbf17c9ad2eb1bce122549430c144ffea5454db3db2ac351504f3f37864cc510a517fa57091fa21208fea2aa5cbd4168724cf8d02575c361f8f224441ba9

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
368KB

MD5
a87ef10c95d9cddbc16ee621428e733d

SHA1
8f99aaddac7aa651756b6ad6d3caa761d7335267

SHA256
60af75988be984d6ccdddc2711d5cae96d47ab7ca9a4c784f7fea5867cc14453

SHA512
31cd5d31fc0059626173f4eab1e9ca61e77149482b84fda1f4eecefae66f7136621fb809f5fe100eb0ee02048abd04552f77be636d696837b9c9b36e3907246c

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
368KB

MD5
6810c8d6b52d454763df16dd1f74b7ab

SHA1
430b50be5de08422ca4126aafff1208a07f21c9b

SHA256
018b244db22e7eb9e27b20bdacd8a68924b23de548a2189ea3db4b9f9ac2ec22

SHA512
2ff1b674700701a9fa7ec43b41e4d5ada69b30d835a237dabfedea68cc4647dafb88e2675e5c6edd7c00313789d79e18d9db94c59f6f65e59a3c23f53e7fbbdb

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
368KB

MD5
4a288b55ce07eb265b32aefa7f5d6711

SHA1
f2d6a9bc48f8c8f6c13045b6653f87d926b77ebb

SHA256
a716bbef75e217739b0155da1bcd10937cb06d9c76b1251fa3563702eaf7d42f

SHA512
f69ca44a7271c978d708db6e249949a6ce602dd415c7137064b39f3db681679c17a6d4df52c7dfdd51a746b90d8f1f64b4f64c1e8c4b071244043d319d1d5fcc

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
368KB

MD5
77b4da7151ee334738cc8bd8fad78b86

SHA1
715cb042ecf1885748a79d95b046100c0d7642d3

SHA256
5113ab69557a314488f5fbde982094012d337dc5618e9e34a663e476b3863b7b

SHA512
961aec2dec2b964556227418bc02b41dcd331dd56dab7847868250d6a6a745c180469f0fbd893bc5994b83ccf25826df1c8e40c693f237dd46d315d1ef0e41d4

Download Submit
C:\Windows\SysWOW64\Gfedle32.exe

Filesize
368KB

MD5
1b76cc141c626d1a760ff34097714867

SHA1
1736219dffc28b69cea875ee9f8770e754f60be6

SHA256
818571eac82c9cd3973c9a79b4fe1addce0f02d2e97fb71e1ac17e50c739f6fa

SHA512
fc1e37b4779bc190e65d807519e9c46ba6bb07982587846ca89f8f183186c92394a13e19d62214795081e4d49d493877f749e49d4d878598a180a3e828eecd71

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
368KB

MD5
93419edfeffb57c89fde4ef644103f87

SHA1
5b2df8fdefd0c54023ebc518018bc9b6fb7d1907

SHA256
c20da8316c29c855bbcce665f223717fd99cf81baa87f34daaae1e8881815306

SHA512
308dfcbbd2553a1b1218c3d6e1d19a1bf13352aa0575f08b29ebd7d25d4aa026bca9be6cda4c3f4f9f273490ee67a15b541e890fae94579aa502ec7f61dd1db7

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
368KB

MD5
2d0fab15bad6391841128984ef17d99e

SHA1
91173aaad3bdc3813c92b557695dc3cf75103db9

SHA256
4385a6843007c26ba2756862531497c2fdb5685057cf1509dbf5ce916b215112

SHA512
de648e9986c6916d8b2257e25798ddaa2eb1b20ce738eef4a203143359186fd926a4ab9769cf782c969831dfc18110a60375b36a54917d66d6b37452627394fa

Download Submit
C:\Windows\SysWOW64\Gjocgdkg.exe

Filesize
368KB

MD5
a7c04e223fd086c22402080aed865fec

SHA1
3c5678078fbf337c8fc1471477484d1037a613f5

SHA256
8cdde8bb38ba4d9287d9b5141a7ee2c83c94ece0ff4d6e09bc880bb56e533241

SHA512
2da6093a3329b38ce8d2a8db10b40aa009822ea1b18e003653befb772bb39eba56280997c5043ee97bad53b2d7eeda344f1c7a768b65f8b065ba893b11c4a3a6

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
368KB

MD5
6edb08cf97516bcb2362817ceafb00ab

SHA1
3b4d535f345ef3a62f3e6f326f9537a52dddc3af

SHA256
64e1a68f2105af33dffb52ad87c700dde6f0e74756b1c687fd87ace0c6fc37ff

SHA512
766d191e9bb427f187916f47bd3e5a1b05546ca88b4b8da19a4093ff74d1b5f89bde580f1f2a9de4c9baa198c070ea56d93284bf6c43674b35736b3dff6fe4fb

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
368KB

MD5
3fa1cd34d8464d94a746166e4877c482

SHA1
948ecfc1ad1361e69bf135188d9475037a53f3ee

SHA256
b98f1fd01b8e0b3b89f839ba43603bc306a05790447ee6a0321d106487583285

SHA512
22d7aa911f5ec256c3b6878fb891ae1905c3ad65faee63887ffccca6b86304d3af008e246598f8afb97a153c1ffc92f59592899a76918eb09f30debf6d29e220

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
368KB

MD5
58ec40483f014a90bbe0e0976b4c341f

SHA1
8b3712abea6bbc36378b70a60d0ba10eda5567b6

SHA256
e355db953f3b8de1bc162097a492f37c5ccf5fb7f4d954efe3a663e22ff9de72

SHA512
cfa8f1d4678b0b83aeb3799b8928b9cfe0f1a154e1bbd9c80f7815f4b18e329fa3ed0aeb4b9c63c8d7c6d848b3e67a1e1c822a3b83e8aa4517da0e0848b86155

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
368KB

MD5
2fd0702c36bf272bca758d1108f38474

SHA1
518c370471a386a90d48d450c521bb81612a7dd1

SHA256
9d819995d3c72e33a6815357a8a35329b700ee4468bb5ac2501f72c0d79ffb4b

SHA512
c205ed641b8a2617c69a11cf61646b5fb8899834e6fc97c4786cc422bcd7949f1269eb8498576d9979d5c757119b23e8cb4a48a69bf4a5bb6b4deb763e7ea64b

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
368KB

MD5
29ec7ebc19b3fd27ee899baee222c3e7

SHA1
41fc2dec02c00bfaf8174a9599f0a204f73d7db9

SHA256
a5142d08d112c3f0b5028e583426ca0f2840e28207193bae60e746f9ad1c9810

SHA512
3fcbe702bc94a63acef59d7a6f257713885d2dc71a4fdf0434664949db9de82b85d4359b8c320ff78340944acb80fce59b84e7f5e17e89f740bd85206efcca08

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
368KB

MD5
490ead57ddd6be333c4cdbc9f635c2b0

SHA1
69a12c7b886c139a95916587b6215eef428d5dfd

SHA256
bd77e769e3b2896112a837190ba4a54af1be9842923cd2ac3e80f41a3b2d082a

SHA512
163ff810a1021e4db5836d47707b0e88e0959ac89451a8cebed68605d386fa095ce73f864df161db1ec318248459f9e495112162ca999c3ecd5f73d958282d2f

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
368KB

MD5
5a4576379334a7f7b4caccb14f36e2f4

SHA1
266be4063c37db99dd899bea36c7b4f7fab2304b

SHA256
65beb288e94d8a1bb92d03ec090ef40ea4d9fc59bd1b8bd761168d19b52a48c0

SHA512
878df6f1bb7d73b1226ed21c678b80d3b88c183282b1f0f9fdd52c484548b7f36519ec108746a4857f12e425678c462859816eb1788abcfa033af66eebb78614

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
368KB

MD5
c96c79bb7a14b0e5a6a69531935e2707

SHA1
36a16e96312b57fbf96a9d54aab564bb6c9e60ba

SHA256
fb79651cabfcb9af03e62bb4cb30e28b38131bfdb8d22ebdfc842917a45c6290

SHA512
f5d9224c59c48a74c66ef361e2a66f5405d3ccbdb162fc0d4d06741a218f60462787c6f52390650d69bd61e9d9a1d8cad27f9e40e1243d38ef78889fe07cb388

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
368KB

MD5
7485d8333820dd26e08ff1b4f4a71923

SHA1
91b28d20febce408884322edebe0b4e4da78ea58

SHA256
3e64dd7a3e0e06676d9172cb5694b3e68ed2f5f0f55ba933d4ab503e311a99ae

SHA512
a6df6e95b866ef03d89e05eb42216fb333ee7ded0c07253fc9483f4915cb8793178482e5c765e54b302371ca07220d74d6e7dc9cd20de0f2fffadb08e4d6914a

Download Submit
memory/116-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/404-311-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/408-380-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-168-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/624-338-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/740-208-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/752-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/768-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/796-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/936-308-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/968-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1032-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1224-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1388-256-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1652-284-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1816-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2016-419-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2184-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2308-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2312-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2376-240-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2388-44-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2808-132-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2812-183-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2832-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2924-362-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2928-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2940-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2952-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3004-406-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3056-356-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3060-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3160-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3308-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3336-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3500-176-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3520-442-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3532-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3592-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3616-326-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3708-393-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3860-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3872-428-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3956-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3960-403-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3968-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4068-192-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4080-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4168-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4184-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4236-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4352-248-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4364-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4476-316-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4524-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4600-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4632-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4808-96-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4876-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4916-289-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5072-374-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5076-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5080-87-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5112-112-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads