7d54d6f4e191a5395f5cb95fbab43565045edbf70a3d2b99de52ac64e2567c4f

Analysis

max time kernel
93s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d54d6f4e191a5395f5cb95fbab43565045edbf70a3d2b99de52ac64e2567c4f.exe
Size

112KB
MD5

e5bfb213997dfba6c6c54c9779a2b76d
SHA1

f6ecd063d47d7cd851c82acfd6b987980de28ff0
SHA256

7d54d6f4e191a5395f5cb95fbab43565045edbf70a3d2b99de52ac64e2567c4f
SHA512

b101d68a7014798a61e928ddcdcee97f57ff17a2b31d0692d6ea623fb94e0179c1cdfcf6a32493eda88e2a4a2760397d4f37098c208b18bc2025095ee569a432
SSDEEP

3072:OKWmYGq+ZuHJMQH2qC7ZQOlzSLUK6MwGsGnDc9o:OhquHJMQWfdQOhwJ6MwGsw

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmgeao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebploj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7d54d6f4e191a5395f5cb95fbab43565045edbf70a3d2b99de52ac64e2567c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eckonn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehjdldfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe

Executes dropped EXE 64 IoCs

pid	Process
4480	Dfdbojmq.exe
3096	Dhcnke32.exe
748	Domfgpca.exe
5060	Efgodj32.exe
4684	Ehekqe32.exe
4432	Epmcab32.exe
1504	Eckonn32.exe
1524	Efikji32.exe
3472	Ehhgfdho.exe
2284	Eoapbo32.exe
3732	Ebploj32.exe
4000	Ehjdldfl.exe
4916	Eodlho32.exe
4032	Ebbidj32.exe
1620	Elhmablc.exe
612	Ecbenm32.exe
3252	Eoifcnid.exe
3548	Fbgbpihg.exe
3772	Fjnjqfij.exe
2472	Fqhbmqqg.exe
3140	Fbioei32.exe
3476	Ffekegon.exe
1336	Fjqgff32.exe
4360	Fmocba32.exe
3160	Fqkocpod.exe
4784	Fjcclf32.exe
5040	Fmapha32.exe
700	Fbnhphbp.exe
760	Fjepaecb.exe
3640	Fqohnp32.exe
2360	Fbqefhpm.exe
1564	Fjhmgeao.exe
4980	Fmficqpc.exe
2572	Gcpapkgp.exe
632	Gfnnlffc.exe
1440	Gimjhafg.exe
4696	Gqdbiofi.exe
1096	Gbenqg32.exe
1948	Gfqjafdq.exe
4988	Gmkbnp32.exe
4456	Gcekkjcj.exe
3588	Gfcgge32.exe
2980	Gqikdn32.exe
4548	Gpklpkio.exe
856	Gbjhlfhb.exe
4180	Gjapmdid.exe
3076	Gmoliohh.exe
3488	Gqkhjn32.exe
4164	Gcidfi32.exe
3996	Gbldaffp.exe
2436	Gjclbc32.exe
3280	Gmaioo32.exe
408	Gameonno.exe
4100	Hclakimb.exe
5004	Hfjmgdlf.exe
3264	Hjfihc32.exe
5088	Hmdedo32.exe
1736	Hcnnaikp.exe
1588	Hfljmdjc.exe
4400	Hjhfnccl.exe
2792	Hmfbjnbp.exe
836	Hpenfjad.exe
3536	Hfofbd32.exe
2044	Hmioonpn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Eoapbo32.exe	Ehhgfdho.exe
File opened for modification	C:\Windows\SysWOW64\Fjepaecb.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Hjhfnccl.exe	Hfljmdjc.exe
File opened for modification	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Fqhbmqqg.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhcnke32.exe	Dfdbojmq.exe
File created	C:\Windows\SysWOW64\Gedmgfjd.dll	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jdemhe32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Qfiapa32.dll	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Fjhmgeao.exe	Fbqefhpm.exe
File opened for modification	C:\Windows\SysWOW64\Gbenqg32.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Gmbkmemo.dll	Ipnalhii.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Domfgpca.exe	Dhcnke32.exe
File created	C:\Windows\SysWOW64\Pmcglkid.dll	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File created	C:\Windows\SysWOW64\Mmpfpdoi.dll	Ijaida32.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Fdcfcpdf.dll	Elhmablc.exe
File created	C:\Windows\SysWOW64\Fqkocpod.exe	Fmocba32.exe
File created	C:\Windows\SysWOW64\Jibeql32.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Fmocba32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Gbenqg32.exe	Gqdbiofi.exe
File created	C:\Windows\SysWOW64\Lihoogdd.dll	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jaljgidl.exe
File created	C:\Windows\SysWOW64\Ppaaagol.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nacbfdao.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6484	5852	WerFault.exe	282

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7d54d6f4e191a5395f5cb95fbab43565045edbf70a3d2b99de52ac64e2567c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedmgfjd.dll"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcioj32.dll"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aajjaf32.dll"	Jbfpobpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecppdbpl.dll"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll"	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpmkpqcp.dll"	7d54d6f4e191a5395f5cb95fbab43565045edbf70a3d2b99de52ac64e2567c4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gagaaq32.dll"	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpkqnp32.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 4480	1732	7d54d6f4e191a5395f5cb95fbab43565045edbf70a3d2b99de52ac64e2567c4f.exe	86
PID 1732 wrote to memory of 4480	1732	7d54d6f4e191a5395f5cb95fbab43565045edbf70a3d2b99de52ac64e2567c4f.exe	86
PID 1732 wrote to memory of 4480	1732	7d54d6f4e191a5395f5cb95fbab43565045edbf70a3d2b99de52ac64e2567c4f.exe	86
PID 4480 wrote to memory of 3096	4480	Dfdbojmq.exe	87
PID 4480 wrote to memory of 3096	4480	Dfdbojmq.exe	87
PID 4480 wrote to memory of 3096	4480	Dfdbojmq.exe	87
PID 3096 wrote to memory of 748	3096	Dhcnke32.exe	88
PID 3096 wrote to memory of 748	3096	Dhcnke32.exe	88
PID 3096 wrote to memory of 748	3096	Dhcnke32.exe	88
PID 748 wrote to memory of 5060	748	Domfgpca.exe	89
PID 748 wrote to memory of 5060	748	Domfgpca.exe	89
PID 748 wrote to memory of 5060	748	Domfgpca.exe	89
PID 5060 wrote to memory of 4684	5060	Efgodj32.exe	90
PID 5060 wrote to memory of 4684	5060	Efgodj32.exe	90
PID 5060 wrote to memory of 4684	5060	Efgodj32.exe	90
PID 4684 wrote to memory of 4432	4684	Ehekqe32.exe	91
PID 4684 wrote to memory of 4432	4684	Ehekqe32.exe	91
PID 4684 wrote to memory of 4432	4684	Ehekqe32.exe	91
PID 4432 wrote to memory of 1504	4432	Epmcab32.exe	92
PID 4432 wrote to memory of 1504	4432	Epmcab32.exe	92
PID 4432 wrote to memory of 1504	4432	Epmcab32.exe	92
PID 1504 wrote to memory of 1524	1504	Eckonn32.exe	93
PID 1504 wrote to memory of 1524	1504	Eckonn32.exe	93
PID 1504 wrote to memory of 1524	1504	Eckonn32.exe	93
PID 1524 wrote to memory of 3472	1524	Efikji32.exe	94
PID 1524 wrote to memory of 3472	1524	Efikji32.exe	94
PID 1524 wrote to memory of 3472	1524	Efikji32.exe	94
PID 3472 wrote to memory of 2284	3472	Ehhgfdho.exe	95
PID 3472 wrote to memory of 2284	3472	Ehhgfdho.exe	95
PID 3472 wrote to memory of 2284	3472	Ehhgfdho.exe	95
PID 2284 wrote to memory of 3732	2284	Eoapbo32.exe	96
PID 2284 wrote to memory of 3732	2284	Eoapbo32.exe	96
PID 2284 wrote to memory of 3732	2284	Eoapbo32.exe	96
PID 3732 wrote to memory of 4000	3732	Ebploj32.exe	97
PID 3732 wrote to memory of 4000	3732	Ebploj32.exe	97
PID 3732 wrote to memory of 4000	3732	Ebploj32.exe	97
PID 4000 wrote to memory of 4916	4000	Ehjdldfl.exe	98
PID 4000 wrote to memory of 4916	4000	Ehjdldfl.exe	98
PID 4000 wrote to memory of 4916	4000	Ehjdldfl.exe	98
PID 4916 wrote to memory of 4032	4916	Eodlho32.exe	99
PID 4916 wrote to memory of 4032	4916	Eodlho32.exe	99
PID 4916 wrote to memory of 4032	4916	Eodlho32.exe	99
PID 4032 wrote to memory of 1620	4032	Ebbidj32.exe	100
PID 4032 wrote to memory of 1620	4032	Ebbidj32.exe	100
PID 4032 wrote to memory of 1620	4032	Ebbidj32.exe	100
PID 1620 wrote to memory of 612	1620	Elhmablc.exe	102
PID 1620 wrote to memory of 612	1620	Elhmablc.exe	102
PID 1620 wrote to memory of 612	1620	Elhmablc.exe	102
PID 612 wrote to memory of 3252	612	Ecbenm32.exe	103
PID 612 wrote to memory of 3252	612	Ecbenm32.exe	103
PID 612 wrote to memory of 3252	612	Ecbenm32.exe	103
PID 3252 wrote to memory of 3548	3252	Eoifcnid.exe	105
PID 3252 wrote to memory of 3548	3252	Eoifcnid.exe	105
PID 3252 wrote to memory of 3548	3252	Eoifcnid.exe	105
PID 3548 wrote to memory of 3772	3548	Fbgbpihg.exe	106
PID 3548 wrote to memory of 3772	3548	Fbgbpihg.exe	106
PID 3548 wrote to memory of 3772	3548	Fbgbpihg.exe	106
PID 3772 wrote to memory of 2472	3772	Fjnjqfij.exe	107
PID 3772 wrote to memory of 2472	3772	Fjnjqfij.exe	107
PID 3772 wrote to memory of 2472	3772	Fjnjqfij.exe	107
PID 2472 wrote to memory of 3140	2472	Fqhbmqqg.exe	108
PID 2472 wrote to memory of 3140	2472	Fqhbmqqg.exe	108
PID 2472 wrote to memory of 3140	2472	Fqhbmqqg.exe	108
PID 3140 wrote to memory of 3476	3140	Fbioei32.exe	109

C:\Users\Admin\AppData\Local\Temp\7d54d6f4e191a5395f5cb95fbab43565045edbf70a3d2b99de52ac64e2567c4f.exe
"C:\Users\Admin\AppData\Local\Temp\7d54d6f4e191a5395f5cb95fbab43565045edbf70a3d2b99de52ac64e2567c4f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\Dfdbojmq.exe
  C:\Windows\system32\Dfdbojmq.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\SysWOW64\Dhcnke32.exe
    C:\Windows\system32\Dhcnke32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Windows\SysWOW64\Domfgpca.exe
      C:\Windows\system32\Domfgpca.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5060
      - C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3476
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        28⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        30⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3640
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        34⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        36⤵
        Executes dropped EXE
        
        PID:632
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4696
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        42⤵
        Executes dropped EXE
        
        PID:4456
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        43⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:856
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        47⤵
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3996
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        52⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        53⤵
        Executes dropped EXE
        
        PID:3280
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        54⤵
        Executes dropped EXE
        
        PID:408
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        56⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        59⤵
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        61⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        62⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        63⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        67⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        68⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        69⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2656
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        71⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        72⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        74⤵
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        75⤵
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        76⤵
        Drops file in System32 directory
        
        PID:784
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        77⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        78⤵
        Drops file in System32 directory
        
        PID:3756
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        79⤵
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        80⤵
        Modifies registry class
        
        PID:4960
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        82⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5184
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        85⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        86⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        87⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        88⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        89⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        90⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        91⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        92⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        93⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        95⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        96⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        98⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        99⤵
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5904
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        102⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        103⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        104⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        106⤵
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        107⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        111⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        113⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        114⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        115⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        116⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        117⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        118⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        119⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6132
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        122⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5428
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5868
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        127⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        128⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        129⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        131⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        133⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6136
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        135⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        136⤵
        Drops file in System32 directory
        
        PID:5692
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        137⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5328
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5252
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        143⤵
        Drops file in System32 directory
        
        PID:6188
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6232
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6268
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        146⤵
        Modifies registry class
        
        PID:6312
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        148⤵
        Modifies registry class
        
        PID:6388
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        149⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        150⤵
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        151⤵
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        152⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        153⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        154⤵
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        157⤵
        Modifies registry class
        
        PID:6772
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        158⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        160⤵
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        161⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6992
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        163⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        164⤵
        Drops file in System32 directory
        
        PID:7072
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        165⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        166⤵
        Modifies registry class
        
        PID:7152
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6224
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        169⤵
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        170⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        171⤵
        Modifies registry class
        
        PID:6444
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        172⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        173⤵
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        174⤵
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        175⤵
        Drops file in System32 directory
        
        PID:6696
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6768
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6852
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        178⤵
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6984
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        180⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7104
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        182⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        183⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        184⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        185⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6456
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        188⤵
        Modifies registry class
        
        PID:6804
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        190⤵
        Drops file in System32 directory
        
        PID:7012
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        191⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        192⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 400
        193⤵
        Program crash
        
        PID:6484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5852 -ip 5852
1⤵
PID:6332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
112KB

MD5
9e25b592abeb3f987fe1706b0cef0fdb

SHA1
b69bfa7a4fa9e7f1df8914f859ebe285cb4e1803

SHA256
7d9990897eff92b58810c391da114659edb2f2dac3a56e5b0efb0743fb728c88

SHA512
6388a3c4cffa17b48f87f59071576ca17b44378fa9d71bbf956965db05d7476adc0e9fb65730e9d4e8f1828454861fbb5a9992653070841e0a13503710a0c939

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
112KB

MD5
6d930a8f7df438ca280e1ae455a1fbd4

SHA1
7d5ec8074f2a2f7028b223fa3905ae092bc25353

SHA256
077687d8d3a489af8450ec35dac70e8ad4c5e727cf50ccbbd28d249f874792e8

SHA512
81ae42130e91f0d149eb6d299644ae88bfcebba70ebecf3ae7f09103bd39ec121c1cacce1240267b07a410de3317a84032a80fc2cc5704e73427e8d80966a194

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
112KB

MD5
39c21b263ec3d94072e8260ccca73ce9

SHA1
de01ad28346aca029ed2213d02fb8c1a6b11cdef

SHA256
441a554fac932583287b5f8fe36118b66bfb659e266886eb1fec52fb2ffd2787

SHA512
e8c25cfd691c6067401a14e7e30c5ac22e281aabcd1a8f1d7271980cc11db1cf3cd8e8dcc1b3e489dac2a5619cb93fe2e29c5ad838863530495cb2dfc3cf1f4e

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
112KB

MD5
68ede3f36610bdc11695fb141fe22079

SHA1
384bfb63f62456c474cabfe6f0de31fa2d394980

SHA256
5b9723752eb2ba26b499cc49152a87d697972726ee34ae30cb84dbc1cd2effe0

SHA512
30dbe9991fae25e2b654e2c2c0ed11677c8f3f21fee7395fd289ea630ea3d18f9f42450acf4318b50309dd3916e574dd2ba9886ebebdd884008d6472e9886c3d

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
112KB

MD5
036a9c9475c0a349a11594234435bcdf

SHA1
deee28ed2808ff6d573e62aef7707c81305ceb96

SHA256
84cc3b36d03f49454ef0196e984892f07ee8d2461d148ef4a82865d94501ffd1

SHA512
1b69d4404df23a6830625b177c30c28fc5d027de4d7a05f1398601d9e9922a5e81a90745474cf64a4d17cbeb3a806d87ebb06a0068fdb926b1eeafccfd52256e

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
112KB

MD5
2baf52b3369c4c5655e295973676d51d

SHA1
82893b5d5df5fd9c87607e6b43604aae0957f12a

SHA256
0cfd694ed3c5dbfbb928dfc7b1d9dcca783ec9caf8a3e8ab539447f759bca536

SHA512
a06b8a82ca63ccd65965e365285d0a10f51e90bd6f122c71a96c0513939d2aa99a90a43f73f4c899087edded78d33980613ab8b7a9351f5c579dfbd951d57f99

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
112KB

MD5
721eab881563c250d3201069d8ddd3e7

SHA1
0077f89422c715dfa1b01480e6b9d785255f826e

SHA256
e3e96238d069d1032b0b39630192b45bbb6af0e236b15bd670cba116397a1105

SHA512
6a755dc42feadda1c1b5fbfcf7245a9eca0f691198a4828cc060d4319fa2ce82669765199959d4e6c09913d5294f2ba12a6b8c313c8771ea59d2778b10eb6e7a

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
112KB

MD5
57d117a57e0b1cfad0c04565d2caeaa0

SHA1
6daff01f9ec583cc788325e366330d7df47fbd3d

SHA256
b31b0e2be4a8730ce45003eb4a65a207b43b01604321b294bfaa727505704ed3

SHA512
7e5874e05fd25b74ecf7d601e71a4f6f4915aff6090e12db1537d3ce68117c53262b5bc4bcc7c5e98d829ec9b14a0b13c6615efd15654949614aac279128c3db

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
112KB

MD5
0f75dd1ea527ec7ae1e910875404cd43

SHA1
d40696c4fe04a47a6f05ad95fda627fcace8dcf1

SHA256
df53eee3bdd87dd46bab087142fa59c926891b23b45b449fb327b675dc3e9510

SHA512
e7bfcc9c4f3f3064c60759912e2c901ea7dc36ebc3a4067d5d7d9ca53fd0f1c77c938a1a9cebe7f9eaa1f1f93cc9e2b4e740c9d71dca0b0323766e9f7054b4fc

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
112KB

MD5
d0cdb3a2f975264cbb4d63153cb3dd3f

SHA1
c5e73329cc6c5066076faffe55cc36dae4ddda67

SHA256
d284c9a3ede29f6c455bfdac57fd5a8e4ff3b9f03768ab370c3bdea5e9315ff4

SHA512
ece3246e3bc44895c870d1251ca117959603350e30e8888fa2f1526fe1a72ac9618a51e6a91d55b336449da3d5d75faa1b52d5096db4b1a2e0b59f487e22b537

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
112KB

MD5
7a8e82f53879d704481a15319a8e295f

SHA1
ef448bd6d0ee95b2b1acca6b97635ef735d50466

SHA256
30bbbe493cb4d90118490e4c64b3a88d229b1355198586b5f73a31b4a48c8da8

SHA512
adc4c58ba46592ae50caf60784da17ba46a4856776642427a8fc9fda8d200f626ec3f8f8474afc591e23a1397b816967fcd17f364bff214d940b7ebc239e96a0

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
112KB

MD5
85144d2672061d6d8459df1529b1a18a

SHA1
fd750dc5dcedd1c31cba7ef8fac8d7a5a24f7ae9

SHA256
b8801480e57bc4475a59e6c653ff1de261f4e4ec1727e587ced3a3c2ef838ac0

SHA512
a912c585034ea9dfaddcb6dce7485c86b0a9fbffe2c20820386d2d8cc283b38aaad406bb5a1650076501819d37e1919216db6cf97574399809febe40deb67213

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
112KB

MD5
7dec30e80b2b354a5bd09790c13a9e0c

SHA1
cdd5cc55f46da5fa309b73db513a11c3a54a563a

SHA256
2f020664e746618c6375116dabb2e69990a9bb8cd9d66aa9e9dccba164ac7921

SHA512
f0b62bc760f86ef2643b8579e1344e78e03fdfd69911816ed6de32e963663b69e8a1afdf06c9321ab801b443e12ab82643ac42ab1eff4e4e32ebd02bb7996ac8

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
112KB

MD5
a273f39bff6800ddb85522f664ab8c9f

SHA1
366888d6be21c41224209dc2597fef032d135fe7

SHA256
91cf9e3469f2855459885f13a03d8c172f9ef238ba1ac0ac191e0ecb15f022fe

SHA512
87809b9e86911f3d867a62f2f6ae1632089191e8261af65bd9a673573f0e5da94008d6b4424ee2a07db7289f75769009e9f1819bb2444c928430d62f4239318e

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
112KB

MD5
eb65f9478c555838774bae4ee57399d3

SHA1
33371d81523be847b4008d914308d8769644c7d0

SHA256
6ec8133d9846b16e895361e9cc3562d4f9344ed89055c74089be57e6abcf8b31

SHA512
809aa32fcdc06646d786ef5b612398e2fc375655d5f36b1d39f810d3a37ad1ae3fe3f9b4838d066dfccac0adc0b66f75056a2e417ca98450c86931475aaf14f4

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
112KB

MD5
5361d1b9a3eb405d58de741574e86da3

SHA1
f9d1ea0d21f4c5d0c3034b13587831b0eaa86036

SHA256
8cdb92c3c60674fc39fb99ef5b51ead6b500a53394effd4e632c49e9a414f6bb

SHA512
05c4ff6cc0e5577451550cbf6b6778a2a19d469f28a853bb73248b74be2a5c1a54f451bfce64b77151478247d972caccf11808c5dc0c01d227902edcc6a8f24e

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
112KB

MD5
4529d18c62588e01f4b5ab5b43c26fb2

SHA1
4e954f73c76bfd5a10f22793bb0f27e0be238bca

SHA256
aae47ae285391b011ef8b7018dc2b61c6f67ce30c8977661a3475cbcc8fd6154

SHA512
eac6cb8fbafcc80469279a9c319d9a42258852ebf7cf6ed3429c54aea8ac4acc1d647e5b9348ce8546cc961d57e088c5ace6ff48bb8c4e215ebcddbba3669463

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
112KB

MD5
159c592efe572afd9c31259a54597eb2

SHA1
dd50ae396dc553969e18527231a2aa8be9e8da56

SHA256
a359eadbf0d8dbe1adc3ab5b0520138175a17ad67fdf54db95f7756bb170c38f

SHA512
ae137a54cd51f19543416c79cb76cf0c2f7f8656a62d31109e5d2d19704058f3b50e7bb554f98ac2b212b4eb56763d1130ed575038d640dbc96786513236d9d7

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
112KB

MD5
0f672a9c99f1972442e7c7b43830b61c

SHA1
bec10b5184d20aaa2c51983b3d23c8b9e7003506

SHA256
25979d86944f38fff0e25409a75db9cc2b13963ac5f7b51ef86cb908412c3467

SHA512
7aea6212dfa6487d295d32009b9119877f5a4936cbee86ef16cca0764af3417eb7161260f8e814d1a831aee273c156c8d4601b611a46ba1eae8f28500eedd412

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
112KB

MD5
4be1bb9afeb4337b04b18c00decc8d03

SHA1
fe61b412ade10a39e13bc3f9fc8000e17ed1120d

SHA256
6b4921c653f5033a83ffaa73e390bdbcc2d8abd0acaab7f390fe5f5fcebcc1ef

SHA512
915a3be0b2cd527657ef529c9ca3eba0ef23a4ec40885b27121b1ae2a796db9a73388dd4798eb34e506d228302cb1f19924c80933cf120aee46e9a5384cdd87c

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
112KB

MD5
8cc5c199eec35c202869bfda9ee430d1

SHA1
febfc9af71ff65f10e2417783b06a1a99adf30e5

SHA256
6b69f682db08805838956994386af7a7c98a131b15237c7ad665b1401924c33c

SHA512
3a87fb69d55fe45373a3e371856df047b5aead52672cbfd8eebe8059822e631cd5036ed93c25a00ba4496ffeb102732eda0dbccd90e5d4fa61994752a3abe13f

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
112KB

MD5
e04e842528acecf0d2c9b8ec10f9d115

SHA1
63852594299e1d6a38aa17495094b86f45c8a235

SHA256
05561c62ad9f651192605c61251432dc808646bd58154a53061300357a2b2ab4

SHA512
e3981bbe03cc922a72e082af03acd0d67354669a0b9cb45ec779bf9609f26b6820bd5aeb635d9041336da31e4f48702cb29ad64de75be5f3099e7c1de21b1cb6

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
112KB

MD5
c491fc099d4d33f36ca7c5772e327adc

SHA1
99528e686a6c34d52806bc912913a1c5c1226cfe

SHA256
4216044185479db19445f5a8ceb3715d75827ea9211dc2d76a5e960cf22dcb26

SHA512
e31bd72c8481822122ec725d2af42983ed4e19117576790e2870c8968c5db7fee7a479bdc1cf31c99cc1d73ef862ce0afab85220272ac4e43603352dafd7f474

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
112KB

MD5
102b0a8e33fdea72471ffbbbada4c675

SHA1
712cbd0a7df3fb7ac6bfeb6915a1173e31309807

SHA256
63da628410b84a12f2f96649a56d4d4c5bfba3b1dcb09a7aae38d96e1cc32c19

SHA512
04a9edc12bd9b71b5fc75c894ddb1d4255f7f1f607c7d4466fc77ea97a558de2d73fae3daf9a1f3b6b610cb5f17c837feaec95c91b8ce7b1cffe0dca238e3bdd

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
112KB

MD5
7d8d04f6970c0a8a7a99f1846b3d4405

SHA1
2802c719598d7e1fbf1b275c3e4a6e111f11e552

SHA256
bafccabe743b9b6d4f100aa37d9fb54336103b508e08917cab8200c70c8afed9

SHA512
f79a59a7caf69a39a95006d44b446d0aaff6d16facea7bfc57e11aadc48ac505982e9776582e3daec09ac0e1ed46c25daaea4b3f515874e30e5f093b7346ecd6

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
112KB

MD5
063121513a629526bf1a812865f2f2c5

SHA1
84ab547ca08daaf760d7c9f06a5e3eee27593eac

SHA256
0f3168e32c3863bd141602237cfe4a1342a11c1412a4660a6c6dadabfb490cca

SHA512
f097a8194b6b7262e7c616fc9c11c37c9e0f1c619e6c4cf078d4d14f1cdc0caeb64c58ace06615fef948a667e36f636dea3e3abb7e28bf796db021fb75e27a4a

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
112KB

MD5
dd4b99a6663bad880a38895d263665bc

SHA1
5b6dc99877ae894dfbbd71ea799a276d99de7b36

SHA256
0bbbaed0b1dfaab97ac6bd1364f98cf617ffdee4214c3a16021ddbc06d55e292

SHA512
d3d2a3d6a1f96e901109f6dcecf221356b0f995b469c4cfbb4cb71dc929b5ca35dac61cbcd0da38c37513d6a82fb97a99dd8d6c25647a002c759240fd818ee40

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
112KB

MD5
a4e440dabc853d55f17ab450a2115dc9

SHA1
eb223814a0a946208e1bbc8fcc3e9023d92e436e

SHA256
8f990d13e6e409916c3a1f353193a50d9bfc686613c36d115f61757d1f818fa3

SHA512
a775e3acbfa8ef2bd403feafd7b2465cc38ea2030ee0f07881eec5d3d866165a62aafbf31f4755f70131ac48ee85c5c4e1819a9db88ab601de98e430bb4f7e20

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
112KB

MD5
ffb48ec493318119fd30cd91eab5e91b

SHA1
03921b5f44027c0ac1d5782261651f89c5160b68

SHA256
1bdd3348968a9bf51ee6bfeeee5607732eda5276d1811aec8de2dfec8b2b5943

SHA512
e6e8a786407275055c93700fc9f2b2faa6c1663b4cfa6b55d767e8cfc479320030f4c94213d5db1bd56fcc9e90545f8ae18b3bbb66fd22d728c4544cf14610b8

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
112KB

MD5
904c5fc83f778d674f796694b0acd329

SHA1
ba2b0881348b6450528ef00a99253072820dd6ba

SHA256
eb1a3df4fa4fc8779e538c501c1af63283905ac60e4e231854dc70f9e0c8edb5

SHA512
fad1bb760f6b0d9db2528bfe186e2711daf9a098d096cebd1135123dcc2f2c008c1767f9f81e68d6a53195b8f8160aca81b784b6c14fb1d9fe43776e3c650c23

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
112KB

MD5
b413c679ec5b601c4803a3959451a219

SHA1
5ede75c1d90b172b5ded986d1bbc800909531531

SHA256
ce64de75daaf88ab309dcb9715cd9019a1df97d6ead02c25a07ebdb6c8ae5796

SHA512
fc38129c72a8f14ccefc34ca561916dfc085462fe72f03ca99154d8bce68142e88050ec87d8a6226c45008edbed15eb853f8ac8c019960b30fe9a0d0f15eb141

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
112KB

MD5
0ee38dca6dedf5a16bb0149c70f28cf7

SHA1
349509d328ed9a2e955da04b1bd160790e1075f7

SHA256
04ebd10cd4074e30ca425767734d9c5958aea443cec277e4046f3668c0dcf376

SHA512
26d4d6b2fbcbbf437de5b58a4ed61d85f9659258204c20d4e901fd32f4db9c920d79cf9d144ae929621df529fd17032644512d1aabf10336f797771cc48ebde3

Download Submit
C:\Windows\SysWOW64\Jaljgidl.exe

Filesize
112KB

MD5
14d6c21487f65a466abef5177d75c245

SHA1
6a8e221d6ac18f0b1bdc5d68d50df24ad0b215a5

SHA256
6f7cfb1cac70d90aa4d42116c53fb531b6dc65e247e42059520cc3dfcefd600c

SHA512
6b51dee28cb3b16bde9cab76d8e314ba6f02bd047bf652f5035f82f5ae272d0660527a6a2cef88921ed99247de07b94d1f0e40a2b6bdd0e0f375e483b72e0428

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
112KB

MD5
28f1ca2a9ff537d748b265629f610625

SHA1
3963a0b28c8f0056b03d7e1bbdcdfee0543fc920

SHA256
7c3f8704997b14789b88adebb214cc4ba0069d8a1af720aadc0d285546fc4bef

SHA512
d7c56bbac3a42ef25fe4077a42988b1194eb6e98c44aedce92e3ff87e3bee2bd9bf1decf1faeea1b00392195aed6e55cfa4f1e7dac1d0a599b04bab681dac8c3

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
112KB

MD5
ff56a9a5ead6daec62cb4d1eaf90f264

SHA1
6b5711b6125ceb76ec3fdc35f3348b014f3bcc37

SHA256
f8c2e13101d1fed38e74f7b61eea18d67b108dde45712943c5fd56b2b1433bdd

SHA512
04707f92525ab2a7b022d9a49650bd6ee9572d25dd5cbf54545af20a53d330ba2d69dd2d937b55b0c4b55ac815760093658fadfd651bcb6ba49218214e3c264d

Download Submit
memory/612-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/612-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/632-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/700-236-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/700-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/760-320-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/760-243-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1096-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1336-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1440-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1504-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1504-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1524-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-339-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1564-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-129-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1732-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1732-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1948-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2284-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2284-168-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2360-264-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2472-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2572-356-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2572-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2980-344-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3096-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3096-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3140-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3160-211-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3160-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3252-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3472-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3472-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3476-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3548-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3588-333-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3640-258-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3732-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3732-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3772-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4000-102-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4032-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4360-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4432-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4432-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4456-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4548-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4684-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4684-124-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4696-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4784-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4784-219-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4916-111-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4980-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4988-326-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5040-226-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5040-305-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5060-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5060-114-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads