f9c174dda7ca1b4f29b67c185e51b9bc6b4b2058507eb698f2e8db9af2d01a20

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9c174dda7ca1b4f29b67c185e51b9bc6b4b2058507eb698f2e8db9af2d01a20.exe
Size

96KB
MD5

21871d3eb76b1058ac004979259953d5
SHA1

c09efda48622992b99d7896b338ef1ee611efaa5
SHA256

f9c174dda7ca1b4f29b67c185e51b9bc6b4b2058507eb698f2e8db9af2d01a20
SHA512

cba9955738357dd9ca4146e1c25908fa59d32a2af2f4355496393e1cfd6263a756a9617ad6b40210727074a6e336bfaea33cee557073081860ecd8ae579f9978
SSDEEP

1536:ah2cwpQEz931SK5IdKmu/LXI+SSi5gKlljl88G/BOmWCMy0QiLiizHNQNdq:a8HRh3R5INEIgKllj+5OmWCMyELiAHOi

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmocba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbllkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	f9c174dda7ca1b4f29b67c185e51b9bc6b4b2058507eb698f2e8db9af2d01a20.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daifnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imgkql32.exe

Executes dropped EXE 64 IoCs

pid	Process
1572	Daifnk32.exe
3788	Dfdbojmq.exe
3100	Dlojkddn.exe
2944	Domfgpca.exe
2928	Dakbckbe.exe
4188	Ejbkehcg.exe
2676	Elagacbk.exe
1656	Eoocmoao.exe
3652	Ebnoikqb.exe
4828	Ejegjh32.exe
1580	Ehhgfdho.exe
2612	Epopgbia.exe
3196	Ebploj32.exe
4196	Eflhoigi.exe
2084	Ejgdpg32.exe
3428	Eleplc32.exe
2480	Ecphimfb.exe
3684	Ebbidj32.exe
512	Efneehef.exe
1684	Ehlaaddj.exe
4536	Eqciba32.exe
1040	Eofinnkf.exe
3656	Ebeejijj.exe
2680	Ejlmkgkl.exe
3328	Eqfeha32.exe
4648	Eoifcnid.exe
3128	Ffbnph32.exe
3068	Fhajlc32.exe
4276	Fqhbmqqg.exe
4468	Fcgoilpj.exe
116	Fbioei32.exe
4716	Fjqgff32.exe
5004	Fmocba32.exe
3460	Fqkocpod.exe
5108	Fomonm32.exe
4128	Fbllkh32.exe
3424	Fjcclf32.exe
1980	Fqmlhpla.exe
3204	Fckhdk32.exe
4720	Ffjdqg32.exe
1232	Fihqmb32.exe
4012	Fqohnp32.exe
2160	Fcnejk32.exe
4860	Fijmbb32.exe
4320	Fqaeco32.exe
3456	Gcpapkgp.exe
2852	Gfnnlffc.exe
1920	Gjjjle32.exe
1288	Gogbdl32.exe
2564	Gbenqg32.exe
3932	Giofnacd.exe
224	Gmkbnp32.exe
216	Goiojk32.exe
3176	Gbgkfg32.exe
2512	Gfcgge32.exe
3396	Gjocgdkg.exe
1640	Giacca32.exe
916	Gmmocpjk.exe
1892	Gpklpkio.exe
3768	Gbjhlfhb.exe
832	Gjapmdid.exe
2000	Gidphq32.exe
4372	Gmoliohh.exe
3832	Gqkhjn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lolncpam.dll	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Hmdedo32.exe	Hihicplj.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Dakbckbe.exe	Domfgpca.exe
File created	C:\Windows\SysWOW64\Mepgghma.dll	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Chkede32.dll	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Ampkqqjm.dll	Ebploj32.exe
File created	C:\Windows\SysWOW64\Hfofbd32.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Ijdeiaio.exe	Ifhiib32.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hikfip32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Gbgkfg32.exe	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Dlojkddn.exe	Dfdbojmq.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Ebbidj32.exe	Ecphimfb.exe
File opened for modification	C:\Windows\SysWOW64\Fbllkh32.exe	Fomonm32.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Ibjqcd32.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kdcijcke.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Dadofijl.dll	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Gqkhjn32.exe	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jjpeepnb.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Himcoo32.exe
File created	C:\Windows\SysWOW64\Mgblmpji.dll	Ibjqcd32.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ppmeid32.dll	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Eleplc32.exe	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Fhajlc32.exe	Ffbnph32.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Mfogkh32.dll	Hpihai32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Bobgoedj.dll	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Eflhoigi.exe	Ebploj32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gameonno.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7824	7772	WerFault.exe	307

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dlojkddn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgaen32.dll"	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cichoi32.dll"	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkakml32.dll"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglanoaq.dll"	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbfkb32.dll"	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebnoikqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeopdi32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbledndp.dll"	Imihfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ecphimfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hfachc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofddb32.dll"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfdbojmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daifnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmggiogn.dll"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1572	2856	f9c174dda7ca1b4f29b67c185e51b9bc6b4b2058507eb698f2e8db9af2d01a20.exe	87
PID 2856 wrote to memory of 1572	2856	f9c174dda7ca1b4f29b67c185e51b9bc6b4b2058507eb698f2e8db9af2d01a20.exe	87
PID 2856 wrote to memory of 1572	2856	f9c174dda7ca1b4f29b67c185e51b9bc6b4b2058507eb698f2e8db9af2d01a20.exe	87
PID 1572 wrote to memory of 3788	1572	Daifnk32.exe	88
PID 1572 wrote to memory of 3788	1572	Daifnk32.exe	88
PID 1572 wrote to memory of 3788	1572	Daifnk32.exe	88
PID 3788 wrote to memory of 3100	3788	Dfdbojmq.exe	89
PID 3788 wrote to memory of 3100	3788	Dfdbojmq.exe	89
PID 3788 wrote to memory of 3100	3788	Dfdbojmq.exe	89
PID 3100 wrote to memory of 2944	3100	Dlojkddn.exe	90
PID 3100 wrote to memory of 2944	3100	Dlojkddn.exe	90
PID 3100 wrote to memory of 2944	3100	Dlojkddn.exe	90
PID 2944 wrote to memory of 2928	2944	Domfgpca.exe	91
PID 2944 wrote to memory of 2928	2944	Domfgpca.exe	91
PID 2944 wrote to memory of 2928	2944	Domfgpca.exe	91
PID 2928 wrote to memory of 4188	2928	Dakbckbe.exe	92
PID 2928 wrote to memory of 4188	2928	Dakbckbe.exe	92
PID 2928 wrote to memory of 4188	2928	Dakbckbe.exe	92
PID 4188 wrote to memory of 2676	4188	Ejbkehcg.exe	93
PID 4188 wrote to memory of 2676	4188	Ejbkehcg.exe	93
PID 4188 wrote to memory of 2676	4188	Ejbkehcg.exe	93
PID 2676 wrote to memory of 1656	2676	Elagacbk.exe	94
PID 2676 wrote to memory of 1656	2676	Elagacbk.exe	94
PID 2676 wrote to memory of 1656	2676	Elagacbk.exe	94
PID 1656 wrote to memory of 3652	1656	Eoocmoao.exe	95
PID 1656 wrote to memory of 3652	1656	Eoocmoao.exe	95
PID 1656 wrote to memory of 3652	1656	Eoocmoao.exe	95
PID 3652 wrote to memory of 4828	3652	Ebnoikqb.exe	96
PID 3652 wrote to memory of 4828	3652	Ebnoikqb.exe	96
PID 3652 wrote to memory of 4828	3652	Ebnoikqb.exe	96
PID 4828 wrote to memory of 1580	4828	Ejegjh32.exe	98
PID 4828 wrote to memory of 1580	4828	Ejegjh32.exe	98
PID 4828 wrote to memory of 1580	4828	Ejegjh32.exe	98
PID 1580 wrote to memory of 2612	1580	Ehhgfdho.exe	99
PID 1580 wrote to memory of 2612	1580	Ehhgfdho.exe	99
PID 1580 wrote to memory of 2612	1580	Ehhgfdho.exe	99
PID 2612 wrote to memory of 3196	2612	Epopgbia.exe	100
PID 2612 wrote to memory of 3196	2612	Epopgbia.exe	100
PID 2612 wrote to memory of 3196	2612	Epopgbia.exe	100
PID 3196 wrote to memory of 4196	3196	Ebploj32.exe	101
PID 3196 wrote to memory of 4196	3196	Ebploj32.exe	101
PID 3196 wrote to memory of 4196	3196	Ebploj32.exe	101
PID 4196 wrote to memory of 2084	4196	Eflhoigi.exe	102
PID 4196 wrote to memory of 2084	4196	Eflhoigi.exe	102
PID 4196 wrote to memory of 2084	4196	Eflhoigi.exe	102
PID 2084 wrote to memory of 3428	2084	Ejgdpg32.exe	103
PID 2084 wrote to memory of 3428	2084	Ejgdpg32.exe	103
PID 2084 wrote to memory of 3428	2084	Ejgdpg32.exe	103
PID 3428 wrote to memory of 2480	3428	Eleplc32.exe	104
PID 3428 wrote to memory of 2480	3428	Eleplc32.exe	104
PID 3428 wrote to memory of 2480	3428	Eleplc32.exe	104
PID 2480 wrote to memory of 3684	2480	Ecphimfb.exe	105
PID 2480 wrote to memory of 3684	2480	Ecphimfb.exe	105
PID 2480 wrote to memory of 3684	2480	Ecphimfb.exe	105
PID 3684 wrote to memory of 512	3684	Ebbidj32.exe	106
PID 3684 wrote to memory of 512	3684	Ebbidj32.exe	106
PID 3684 wrote to memory of 512	3684	Ebbidj32.exe	106
PID 512 wrote to memory of 1684	512	Efneehef.exe	107
PID 512 wrote to memory of 1684	512	Efneehef.exe	107
PID 512 wrote to memory of 1684	512	Efneehef.exe	107
PID 1684 wrote to memory of 4536	1684	Ehlaaddj.exe	108
PID 1684 wrote to memory of 4536	1684	Ehlaaddj.exe	108
PID 1684 wrote to memory of 4536	1684	Ehlaaddj.exe	108
PID 4536 wrote to memory of 1040	4536	Eqciba32.exe	109

C:\Users\Admin\AppData\Local\Temp\f9c174dda7ca1b4f29b67c185e51b9bc6b4b2058507eb698f2e8db9af2d01a20.exe
"C:\Users\Admin\AppData\Local\Temp\f9c174dda7ca1b4f29b67c185e51b9bc6b4b2058507eb698f2e8db9af2d01a20.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\Daifnk32.exe
  C:\Windows\system32\Daifnk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\Dfdbojmq.exe
    C:\Windows\system32\Dfdbojmq.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Windows\SysWOW64\Dlojkddn.exe
      C:\Windows\system32\Dlojkddn.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3100
    - - C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        23⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        24⤵
        Executes dropped EXE
        
        PID:3656
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        29⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        32⤵
        Executes dropped EXE
        
        PID:116
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        33⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        35⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1232
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4012
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        44⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        45⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        47⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        48⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        51⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3932
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        55⤵
        Executes dropped EXE
        
        PID:3176
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2512
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        59⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        61⤵
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:832
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        65⤵
        Executes dropped EXE
        
        PID:3832
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        66⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        67⤵
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        68⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4636
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        70⤵
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        71⤵
        Drops file in System32 directory
        
        PID:4216
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        73⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        74⤵
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4688
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2104
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1728
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        78⤵
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        79⤵
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1736
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        81⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        83⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        84⤵
        Drops file in System32 directory
        
        PID:3948
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        85⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        86⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        87⤵
        Modifies registry class
        
        PID:5192
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        88⤵
        Drops file in System32 directory
        
        PID:5232
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        89⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        90⤵
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        92⤵
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        93⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        94⤵
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        96⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        98⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        99⤵
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        100⤵
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5808
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        103⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        105⤵
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        106⤵
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        107⤵
        Modifies registry class
        
        PID:6056
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6104
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        109⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        110⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        111⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        112⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        113⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        115⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        116⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5748
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        118⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        120⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        122⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        123⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        124⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        126⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        127⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        128⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        130⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        131⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        133⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        134⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        135⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        136⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        137⤵
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        139⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        140⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5692
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        142⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        143⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        144⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        145⤵
        Modifies registry class
        
        PID:6288
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        148⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        149⤵
        Drops file in System32 directory
        
        PID:6448
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        150⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        151⤵
        Drops file in System32 directory
        
        PID:6536
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6580
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        153⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        154⤵
        Modifies registry class
        
        PID:6672
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        155⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        156⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6808
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        158⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6940
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        161⤵
        Modifies registry class
        
        PID:6984
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        162⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7064
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7108
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        165⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        166⤵
        Drops file in System32 directory
        
        PID:6148
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        167⤵
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        168⤵
        Modifies registry class
        
        PID:6308
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        169⤵
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        170⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6532
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        172⤵
        Drops file in System32 directory
        
        PID:6612
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6664
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        174⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        175⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        176⤵
        Drops file in System32 directory
        
        PID:6864
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        177⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        178⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7104
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        180⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        181⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6340
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6440
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6588
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        185⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        186⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        187⤵
        Modifies registry class
        
        PID:6852
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        188⤵
        Modifies registry class
        
        PID:6972
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        189⤵
        Drops file in System32 directory
        
        PID:7096
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        190⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        191⤵
        Modifies registry class
        
        PID:6420
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        192⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        193⤵
        Modifies registry class
        
        PID:6752
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6928
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        195⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        196⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        197⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        198⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        199⤵
        Drops file in System32 directory
        
        PID:6300
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        200⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        201⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        202⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        203⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7172
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        204⤵
        Modifies registry class
        
        PID:7212
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        205⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        206⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        207⤵
        Drops file in System32 directory
        
        PID:7348
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        208⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        209⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7428
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        210⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7472
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        211⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        212⤵
        Drops file in System32 directory
        
        PID:7556
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        213⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7604
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        214⤵
        Drops file in System32 directory
        
        PID:7644
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        215⤵
        Modifies registry class
        
        PID:7680
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        216⤵
        Modifies registry class
        
        PID:7732
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        217⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7772 -s 420
        218⤵
        Program crash
        
        PID:7824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 7772 -ip 7772
1⤵
PID:7800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
96KB

MD5
16b2c99ca8280168287497c59d9e1f31

SHA1
53cec7f93ed8c73aab013bc1ed77ad65d51919e7

SHA256
0d791a0cd9ee11fa8f274f2326c0dfb60d5d26aeb839c05694cdd230a98bd8b4

SHA512
5e7cb219f7bd4b716c55a72155419616d50fb4c5730dbcc56075ef47b3b261e8457d36665a98bc2e5da6d45b21b035d69a42d24dabfcb267535c12f68b34d963

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
96KB

MD5
e8243e4d1ef3f6d2a4055798bf83a343

SHA1
56de6bf36fe5d73335e107d2991497d00626741f

SHA256
4d7f4d8bc3074610c4a7c0d117f6d818b3ba15bb6f783038243d77f0960bb3bb

SHA512
285b6c656d42cdf00ec0d8d790441b8e51ec6044258875369321088f90a79a17e82a0b58950a7c7507e4380a2ceb93b822f28b7f589f4cea6fe7aeff57976f8e

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
96KB

MD5
4659c41e3f1fe362846083d9d982d72a

SHA1
2127e883e4eb74203b4ebb4a0349798243a19f33

SHA256
f59b5e0a244b91cca9adbad6367833c33e0cd3d4dbdd7eca6e2434057679ffee

SHA512
845127dd35129446672bef638ab81ee44245a02bb6bb63ad4e64f7e6bd017ba7234f9735f58f2ea95ca1c3ee136a6d2cfec1c89942ab176c7f2835682c0d65f4

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
96KB

MD5
c7afcb90d50f5340635b7df2e95fba63

SHA1
a56d931dcc4bc4b93366b7b7f0aba54a756e63b8

SHA256
b569d171b782568d14a4dd8722b9872f16bd6640b30834329908378b43ebefed

SHA512
a71b1fcf674ba7ff4733232d4babe0106017aa0d3a99be4724d19a6cc1e07a5446fb640b1017fb50605121d3b08bc178a695196399b99a02950eecc316bee12b

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
96KB

MD5
094dff8b8e85c87d52ac6b58e86a731e

SHA1
6c8b1f98601a3f5230ee254b7ce9551eeca33d43

SHA256
e29da6b1b6d28e88b92ac9ceaff6e17e064840cc2cb1de4c1859b359e37cde67

SHA512
7fed7dd132f8aa0ede36b39b4b755a70be56c408e754a0989306018996d904eff608af500215b09ccb00bd111e9b5ba43fd5e444982a6db09d5dbffc2ff0d902

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
96KB

MD5
145775b351d09553fa92a16d742787ed

SHA1
31f9c17ee91bc2038293c821471ba9af8e9f00bb

SHA256
6453eef6a42948b8e537f807f4815c9ea9c83e3f26e910999a96bc94cc576cbb

SHA512
36518780fc2e35b2f1f79ec4916b188055261d268f1a11bc31a7fe3e2afd8a3d28ab69afa5be47060c8f8da7bc16231e1b7daa3fb2e122edafe2ffb34993dc3b

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
96KB

MD5
cf296a49ed9c19de60f5c85a0f214423

SHA1
c6d8919bddd09ea413f5bb33dcbd10e65df5a2fb

SHA256
de50e3e977d999c730c727d47941461508af7601099a7e41addb3fd001088118

SHA512
d97ca5274c644c7a1c0a4750e3172bb5c3ffdb7e3088a3685a45de7ae3a612d8be1f8d23584067a4eb5f21834d216e1533857ef8e8c86b434716c1e5e9a3cd17

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
96KB

MD5
1115880938b033e40bb05eef6376ff91

SHA1
a254b181ecb5459ad64815c157b8dc15b0335212

SHA256
f1263a5a28f495c609807fbdb196746bf11f613230194c09ab1e85538922af4c

SHA512
5721ee5db472d96df4c689d7f0536c5d2033a98da7202e9f7847a08a76d4183d93ccc1c2180a98a7aa3bff9780c03a822ce3b986d1ba41252b58fd061c8b507f

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
96KB

MD5
3665c89487d10f4cff4b15a37cf85069

SHA1
0ce097fa3ad47196268be5fe344e18bfa3b60c67

SHA256
691306ca70a8c96345d470a1aa6afa832e543103703514d8cba1b8492e0a0265

SHA512
a8adbbaf6c840ec837b03b1f1c9166b02a72749bb904b209fcee8038cb4092c3a84238733e468eedd78b5023da732b9c6f02b23130ae6aaaf021962ffec02c63

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
96KB

MD5
ee3aeec60ae8a913153b88e7625e581a

SHA1
6afedc2c01940ba927829bd3aa04a8c1e11cb307

SHA256
c27403acbe8796fe899adadb3cad8f049d0ad552ae09c9bbb976ee8c026a7f3f

SHA512
66d7366c1b5aff4c124ff1a7b7c2524ed2ff0883c892279f276a58994bf764aadf0ecd8d62ee7b98ef99299d7e7a88619c8fa8a28a444cc4b1e7e4dfbe829e71

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
96KB

MD5
ea8f5a6c736ecf921b682bc47b90746d

SHA1
6cf3cb45baf55c9f20ae5c4bcd12105140653b1b

SHA256
a7e9a270c38342dc0205784e68fef50af34d19aab88d0ca2a5663496fe9f0e20

SHA512
15ed10f6838b2e207c116c7e045ee591ab59509f03668d3a756def737f61e9998d6c54664ccb195afcbad2aa8da7d135b1a48175681a8fe483713259e67cfd17

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
96KB

MD5
ff345a7b071ce6bfecc5e28a708384a3

SHA1
628f528a07d189d50c4e7411376cf04513150b68

SHA256
b776dc0daf566c1ea4deaf828b6f7c7f5ed82d85d775944416b67d18bfe15a93

SHA512
204cca090691254c89298b1ac14d4d0728e00324ba4a68f6da47f5961be5ba3355876cf9abcac7e0dc4ca8612733e2addc598845f340f14bac16881d0eed214e

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
96KB

MD5
a36f80d933e234092c66998b2babb8ed

SHA1
06482c14120d77565232acbb34db7de154d6bfa5

SHA256
908658bd0063f670317532383e7e0bdbd2fbbd95f5186053683d21d3423a17f7

SHA512
cfabd543619e0c58cf001d332c9894e4e6bf0e6a2b8bce6e761cd839815c7d736320406e4843ca3284487a4bbf78563d9a8b328b4249240c5e5ece4f170ae30f

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
96KB

MD5
c3a094fe8f83d50d61a07720a19bd0cb

SHA1
87b955c9eeea24c2c25d343cef8a617a49d8a012

SHA256
0bc7291e7b43565e832c1f0e1372d4e0ac69c347d102dc195894757b5961b90f

SHA512
887759a78fc6c575f77d46700e1eadd01fd72d50056f64e9bcbdf3349bbf2369ab555deacfb39a946e68008e527c7f5cce5f3c408b695683541dc47023fc5504

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
96KB

MD5
67a84f98f46f5be03210eb16ddadfc93

SHA1
9b96be3e26ff0b710a4255cf5f97bc45d8a2d040

SHA256
99371dd084e2fc2e4a077beb53ee63a914f92b876ffdb9d18fb57d0a8a423b4c

SHA512
1745b6747b1a504638a20588f1a4d431096f0ec8b7cc2186f771b0ffa476934d4c5520142a3665af3ae9bc3c7f20aa5777e4adfa8dbe0a5dffe3bd4620b62419

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
96KB

MD5
dee12b1536be438a22636e956a78b9e3

SHA1
3020d44e7539f906eb44ac6daf24b17b6adb864e

SHA256
85ee82119e761be3b30cd9a5a05318bd4e99d629a88ad5373e5d47ad95da1151

SHA512
c4781e4a68171d10837b571187192b7583baf479b7458049bb112c1d618cc10dfefe60732f9618bb15b2d00dd30c0c5d22d06d94455c4f5b12fce558e8b3d0b3

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
96KB

MD5
f52794b6681b2c762cd1dee88e55777b

SHA1
1f4a39d1f7db1ccf351a8b030be52b9d07809856

SHA256
3a26f8a5cbbb4e123daae38fd900672139b2ea1b10537195ff7a900c780ad0d2

SHA512
edaab45aaadc779281f872b82be7fb726633f7534f3929d3478108661ee40950828238b720ea95e8987b83e5c0826405c8e4451219b355abefc3b627a5247ada

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
96KB

MD5
a272e95ccbbf4f209f4ec9127d7880bc

SHA1
e2f47b362c133f3674997aea3fffc9dea9a72962

SHA256
b8f3367df324095fb79fc49fab6716ad7473a80322bb5ba68d06080253c1451c

SHA512
d6b876ac79ff6eed0ee06c1ddf46210f37b7053da42ef17e7702cdda0a82262be1448f6ea4aa7ecd737717265804c17252cdc5a9460db3e4da23787a1ad3cda3

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
96KB

MD5
6a3884925c1ac8ad691bdd3ab1cb4777

SHA1
14b40a1b5af3b3279ba6a39c35a10a9b9b95511c

SHA256
036aef5fdea305c01a834abc00d1cb3be6f2a1c50e59d890d00fd4eaeaa0e18d

SHA512
e88472f8c98ff59eaf10aa0bfb5716bca6644a5c4004b0f055ed194605577d695aa7f71977803d091a562a6592b7b39da3ed4f3e40be72a7004425c26b90d6d7

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
96KB

MD5
7bd8d40733817d47d8223e6dfb02aa8f

SHA1
22807f2db44abd006d0700d7f6c1638f00f5d6cc

SHA256
c74dca6b1746ea92be322752fab20d598d973260a51e2f4c439788b1cd807a27

SHA512
ba46b32caa8e381a00f96321010d2dd4190014258a8a2f895eefe32102c0d7ce6e1d44a95a2060381da9c3e3b37fc48634598558e0fb1fc83a5e791ec8fe46d0

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
96KB

MD5
7d838fe8488711a16deeaf7feb10fa0b

SHA1
8a558f69c3767b45173c87c434e65b52079a750b

SHA256
fa0a97a09b07095d975f5d896158ed7d38e43170db0f1abaf221e02f745185c0

SHA512
26a42a7693d865ec766427d20175787692962afe04461826192227cf92fb002592dab7fd5112b9cbfef251fce34334fb2a5f8acc300a58fe44348e96082da222

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
96KB

MD5
cdd4287dd4dfb4bd0b969277a07beabb

SHA1
8022ccc0ee909427188c83203f1bdff80614e80e

SHA256
577d9fea98f4ac29d2776f1f08dd91704d3ab308273124f75840ec1f2751494a

SHA512
e85c1ba3b2fa5d7f40e6d5654fa1299cd5efeae2f770dd50790d5866f2227831f9b633dcafb8e41dfdbb459fd1df80bdb00286d9e6279544f466130e7d76fa52

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
96KB

MD5
93590478c3abeea1a3357bc6e0849c97

SHA1
55095ea1b59b8fb1b884b5c4ce6ee6dc41f02ffa

SHA256
7d8eeae9d52cc334e4dbdd52003c42bbd53e3239eea2a2aa0e3a21e04477b8c9

SHA512
67ec49ce8cf7f9a63016aa9f1f27b538fbef7e6f0591c01e836899a4871868c15721810bee337e7ee7c7ca6eced93a09944cdc2cdae96d0157c55e061b32df9a

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
96KB

MD5
8894e9d98d06e5995084e22327771962

SHA1
7501093fe218660b953e47b3c83e1c36e1c1826a

SHA256
1b1f2bacb612483d40a7e42052ea0be4102ad52558aa2e3b6ce2dad7049793d0

SHA512
8a4420557a9e15d203560ada87a668c27fe37ad77729edc87ce40a080f6eda17555943ea7b9a9aa3e2bdcc3dd1840189c9c7bd875c07116f35480887d6dea8c3

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
96KB

MD5
00138e58b6908a3bdcb663ff370b02e5

SHA1
400fef089d0d09e969e5f72a1742b8b9bb6ad3c4

SHA256
a86d49274f6fbb39e8efe26b4ca5b7e5c28a8a6348a5dbecdd8fb153342e7a44

SHA512
dc9e4514d4c9dccdcb25e24b6cc8048f48c186fc7ec66e50a84f22d425247b016a427c3dd52b9157b7a65dd08736bc4aa23de08072c3c8f58f97c5c852b0f887

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
96KB

MD5
a72ef7e1a36ff37915104be214851364

SHA1
761043217ee6af2fa2e9abd627d70f5581fd67f8

SHA256
2250be089b3198e470df3570606ede23a6fbf69e9254cd06d7f57d9b1522bedd

SHA512
e0cdbcbf9095a59e14da82968651b390ebd97549cd851d726fcab74d91d7fc5fda5e03965ecd912b062a21b38e593b2618bc9a20c2fdf016f3e6ab71663ab332

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
96KB

MD5
d988e475e0b3accc3c62427e43844ce6

SHA1
1c97cd5059fcc3cc828d81d8189321e364f1eca0

SHA256
cd941f7b96c06296c9b7a8534cff8f60ad4a073e3d7e984bc0dab784bc086a42

SHA512
ef5fcfffd840f1ea9ed90594bd38b4e2eaa1cbf482f2e33aeea4ea99726f40b6c3880786c7ebed8fd5482c5a15a7668212d9f44c4b9d5d5c1bac993273bfb872

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
96KB

MD5
91b8cd0dfdaa6f0dfada7a879d20f2d1

SHA1
7c65f1ece7eddac0928d999a6c5f1abed1d5bcec

SHA256
c0d0f3df2df9de9cd00e486450dfdef0f9350fa53a58af835674015f47b79ee8

SHA512
5902e959f15691eb081dbc6ac860076c8e589d3519180af62c1dd14328b267a4ab3e13c70b991d1a53875e0038aeac02881500de78c703cb4b536b2ae4ebe2f3

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
96KB

MD5
fcab1a33ba9b45126991d3e8520e81cc

SHA1
a035f4fc892a5d3df1675e25bd3b48231b57a945

SHA256
42d369e2dfa466a49263985fe7e230203df6b152aa2dacf17126994472dcf42a

SHA512
ae29f343d14cc41b776cbc88e8f7a81008423f27243e333d05131cd3823a8033ef7f5d0a5bf3325150d09ae59003cca063f7be7b1136b8905dc578fe92bbcfd6

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
96KB

MD5
77c63769a9f3187d8e8df6278322043d

SHA1
73569a07320371a9c8b6e4831479c82d94f2bf0f

SHA256
70eed6e79377020bcc0e9150caa555dd5821e30c854c1a7b98280a622861ea7c

SHA512
38ebdc7f9373e913431ea54e05f5a1fec1d1a62a8b00de9f84a817f99a370664f80d924d016ec91e78d7ec71c73e7b502a14ff8437f6f0f720c98cba908df658

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
96KB

MD5
1596b398b38b44e0aa0321b1fead9b64

SHA1
74294a6f25fc93f415b4eacdf0c37bb41cea678e

SHA256
e37be3c8c042b03bd7a1550ea27e48c57fa526d69f2c368dfecf268473e3355a

SHA512
a189b1140563eb2fd0b3b0d0c6231e6d854c68ce595735738dba872004adf831e65f80520be7b0168fe274d99046d4981a7f912afdb846d040029ea2a0dc690f

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
96KB

MD5
4641f89aca2d1a07a280dbab99c78806

SHA1
54254de11ec679f2a06e3a23fd110ac65f7e0724

SHA256
f52a37c7329caff496e4c7903dc4272724420bc215efa15fad2b0d6f0e1c70a1

SHA512
6b526d23d510b1f4bd9ec3d7b166cdd3f653d729d584e23026d8ad3f39de37858b6aee29960f1e8aac67c9762249c61008e5e6cf7d51556bfc882b7a74e4cb81

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
96KB

MD5
6ffb6da5da37271cbe8d5cbf588973fc

SHA1
4cbbbb12dd21940d523698d9e3ec4763eece086a

SHA256
856f2465f8123b5df588fa318bc62d50c635cd2456eb741eebf05a2ac2358a9a

SHA512
bb915d841c9692ef5841d16dfad844db60e2ef568f975f4f21d398fbb15bee4d937d447bf0acdc5229b2488e7b4cb953fad98ff417c5a7dab1abb05ea79a4635

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
96KB

MD5
cef095a6715f96980a78402a25b0e8e0

SHA1
be23595c416d8dc808657a446e8a77c347b23cbc

SHA256
5e20968e812f8facbbad7c78185b76ef2906b50064ca1eb7d260f9e7c57f0689

SHA512
79502f7e21c6cee385510fb6c9d54fc654e15d3471da06925d01a22336425a41507e812aad255591f2c10047a01517dd51602f719332bd3bab0540b1b6c78fc7

Download Submit
C:\Windows\SysWOW64\Ggmlbfpm.dll

Filesize
7KB

MD5
2ed63dd483a6182838143ee925a606c9

SHA1
595411d2ca8e5d066d72d9b95913f46f6a40ccf3

SHA256
c74beab6412430a064f96c1b4171d463b9002e870217e0530d612928e89a8210

SHA512
b691657bb665642470a1d7ff65a9814af3c6bcfd8d10542d8f55a875042f207e949e1ae951c6e3c96cd9e233ac2744f0f7e226f8eebfb42f8fc88e64c70e0e40

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
96KB

MD5
05144e02cb91d6e4d553ee81ca372b8f

SHA1
e2fb2aee95bd7d90b7c73f38edcfa286638c45d7

SHA256
e4bc0babc8e1e958c887287fdbe43f6c07c7850f019ef36d88e0151693bd78c4

SHA512
2f55faae659ebbd93a4de7c1131ae3d20964aa15bc52e338cda05644d385d449a6f6d1d02707db516fd641b1d51ac93f48b6ed0877923a2a03c0a1ef44921796

Download Submit
C:\Windows\SysWOW64\Kmgdgjek.exe

Filesize
96KB

MD5
2e6e6a8678886b3becd9a982962577d9

SHA1
6326c40eeb410eb37225b10467202fa1e321bd81

SHA256
1c85f43cc43ddacde56f287b6423119e93f0f50c2a8cec8b8b80709bb70ce0b8

SHA512
4fee7af1930e2216ba27077c21432fc0cd7c2ca7af2a00ce7e3493994744ecea2552e2334f4a755dad5eaa80c8c76d80c25d6c71d10be15f12f7efec61a5f58d

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
96KB

MD5
2d893afdb460f27c980cd5b15d413570

SHA1
5dad0e058868926840f24d1da993015e6c4a8d10

SHA256
f6ae8454905a6c0a650589df4a947c28d6d2d6558e95504eb80c1e6c82567aae

SHA512
0b17cc3e3699e6106187e6ec4ec730b50f1a9536bedf950b13efa3cb3f7251b7694065f432a229fe2f06e1fe1e487572f2c36f7047f486802b9e6299fd96341e

Download Submit
memory/116-285-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/512-171-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1040-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1232-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1288-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1572-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1572-89-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1580-97-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1656-273-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1656-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1684-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1920-363-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1980-362-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1980-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2084-150-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2160-336-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2480-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2564-380-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-242-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2676-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2680-212-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2852-356-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2856-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2856-84-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-40-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2944-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2944-163-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3068-246-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3100-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3100-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3128-237-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3196-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3204-369-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3204-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3328-221-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3424-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3428-153-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3456-354-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3460-279-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3652-76-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3656-209-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3684-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3684-149-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3788-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3788-110-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3932-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4012-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4128-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4188-217-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4188-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4196-122-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4276-254-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4320-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4468-262-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-185-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4648-229-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4716-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4720-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4828-86-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4860-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5004-292-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-293-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads