a75cbb614cc2b47506899340360da63cbe90d12e0a24246ab66ab80da9cb74d2

Analysis

max time kernel
93s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a75cbb614cc2b47506899340360da63cbe90d12e0a24246ab66ab80da9cb74d2.exe
Size

512KB
MD5

ab3b1f0983d486a28f7f119953b97e78
SHA1

738ec0a107be85cdfc75bc3a7aece71d89759357
SHA256

a75cbb614cc2b47506899340360da63cbe90d12e0a24246ab66ab80da9cb74d2
SHA512

0881de18fe2e2dd5e0b48227102530f21537d31b924a5702a7ed89f37ee02639213db4fa3d86b2661d9262e34ac50facefaa3c5260681804ab8d3a3936087b10
SSDEEP

6144:9eXg28UZP8VU5tTO/ENURQPTlyl48pArv8kEVS1aHr:3wUG5t1sI5yl48pArv8o4L

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqciba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gidphq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomonm32.exe

Executes dropped EXE 64 IoCs

pid	Process
3068	Eflhoigi.exe
1220	Ehjdldfl.exe
3680	Eqalmafo.exe
5052	Ecphimfb.exe
4940	Efneehef.exe
2916	Elhmablc.exe
2116	Eqciba32.exe
3944	Ecbenm32.exe
3828	Efpajh32.exe
3976	Ejlmkgkl.exe
848	Emjjgbjp.exe
4972	Eqfeha32.exe
1624	Ecdbdl32.exe
4020	Fbgbpihg.exe
4092	Fjnjqfij.exe
1524	Fhajlc32.exe
1380	Fqhbmqqg.exe
4764	Fokbim32.exe
1796	Ffekegon.exe
1400	Fjqgff32.exe
4856	Ficgacna.exe
3124	Fqkocpod.exe
884	Fomonm32.exe
928	Fbllkh32.exe
3984	Ffggkgmk.exe
3208	Fjcclf32.exe
3228	Fmapha32.exe
4872	Fqmlhpla.exe
3456	Fopldmcl.exe
2476	Fbnhphbp.exe
3776	Ffjdqg32.exe
1056	Fihqmb32.exe
3556	Fmclmabe.exe
324	Fqohnp32.exe
892	Fobiilai.exe
3676	Fbqefhpm.exe
4408	Fflaff32.exe
3172	Fjhmgeao.exe
4432	Fmficqpc.exe
5012	Fqaeco32.exe
4332	Fodeolof.exe
1812	Gcpapkgp.exe
4368	Gbcakg32.exe
3336	Gjjjle32.exe
2324	Gimjhafg.exe
4184	Gqdbiofi.exe
3600	Gogbdl32.exe
4816	Gcbnejem.exe
4016	Gfqjafdq.exe
536	Gjlfbd32.exe
2952	Giofnacd.exe
1568	Gqfooodg.exe
4528	Goiojk32.exe
3872	Gcekkjcj.exe
4080	Gfcgge32.exe
404	Gjocgdkg.exe
4392	Gmmocpjk.exe
3992	Gqikdn32.exe
4364	Gcggpj32.exe
4916	Gbjhlfhb.exe
4196	Gfedle32.exe
1488	Gidphq32.exe
1628	Gmoliohh.exe
3652	Gqkhjn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Eqalmafo.exe	Ehjdldfl.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Ejlmkgkl.exe	Efpajh32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jplmmfmi.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Fqkocpod.exe
File opened for modification	C:\Windows\SysWOW64\Gcekkjcj.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Emjjgbjp.exe	Ejlmkgkl.exe
File created	C:\Windows\SysWOW64\Fopldmcl.exe	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fmapha32.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Ffekegon.exe	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Ficgacna.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Ngiehn32.dll	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Elhmablc.exe	Efneehef.exe
File created	C:\Windows\SysWOW64\Ohcepmcb.dll	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Fjqgff32.exe	Ffekegon.exe
File created	C:\Windows\SysWOW64\Gbldaffp.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbdl32.exe	Eqfeha32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kknafn32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Eqciba32.exe	Elhmablc.exe
File created	C:\Windows\SysWOW64\Ahgndd32.dll	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Hbanme32.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Fqaeco32.exe	Fmficqpc.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ehjdldfl.exe	Eflhoigi.exe
File opened for modification	C:\Windows\SysWOW64\Fmapha32.exe	Fjcclf32.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Bademghm.dll	Ficgacna.exe
File opened for modification	C:\Windows\SysWOW64\Ffggkgmk.exe	Fbllkh32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kknafn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6840	6576	WerFault.exe	288

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldooifgl.dll"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a75cbb614cc2b47506899340360da63cbe90d12e0a24246ab66ab80da9cb74d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fflaff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giofnacd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihjpn32.dll"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbjnl32.dll"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bppheeep.dll"	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqqjmnii.dll"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdcae32.dll"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcqjfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcepmcb.dll"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peeafpaf.dll"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcglnp32.dll"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 3068	2888	a75cbb614cc2b47506899340360da63cbe90d12e0a24246ab66ab80da9cb74d2.exe	86
PID 2888 wrote to memory of 3068	2888	a75cbb614cc2b47506899340360da63cbe90d12e0a24246ab66ab80da9cb74d2.exe	86
PID 2888 wrote to memory of 3068	2888	a75cbb614cc2b47506899340360da63cbe90d12e0a24246ab66ab80da9cb74d2.exe	86
PID 3068 wrote to memory of 1220	3068	Eflhoigi.exe	87
PID 3068 wrote to memory of 1220	3068	Eflhoigi.exe	87
PID 3068 wrote to memory of 1220	3068	Eflhoigi.exe	87
PID 1220 wrote to memory of 3680	1220	Ehjdldfl.exe	88
PID 1220 wrote to memory of 3680	1220	Ehjdldfl.exe	88
PID 1220 wrote to memory of 3680	1220	Ehjdldfl.exe	88
PID 3680 wrote to memory of 5052	3680	Eqalmafo.exe	89
PID 3680 wrote to memory of 5052	3680	Eqalmafo.exe	89
PID 3680 wrote to memory of 5052	3680	Eqalmafo.exe	89
PID 5052 wrote to memory of 4940	5052	Ecphimfb.exe	90
PID 5052 wrote to memory of 4940	5052	Ecphimfb.exe	90
PID 5052 wrote to memory of 4940	5052	Ecphimfb.exe	90
PID 4940 wrote to memory of 2916	4940	Efneehef.exe	91
PID 4940 wrote to memory of 2916	4940	Efneehef.exe	91
PID 4940 wrote to memory of 2916	4940	Efneehef.exe	91
PID 2916 wrote to memory of 2116	2916	Elhmablc.exe	92
PID 2916 wrote to memory of 2116	2916	Elhmablc.exe	92
PID 2916 wrote to memory of 2116	2916	Elhmablc.exe	92
PID 2116 wrote to memory of 3944	2116	Eqciba32.exe	93
PID 2116 wrote to memory of 3944	2116	Eqciba32.exe	93
PID 2116 wrote to memory of 3944	2116	Eqciba32.exe	93
PID 3944 wrote to memory of 3828	3944	Ecbenm32.exe	94
PID 3944 wrote to memory of 3828	3944	Ecbenm32.exe	94
PID 3944 wrote to memory of 3828	3944	Ecbenm32.exe	94
PID 3828 wrote to memory of 3976	3828	Efpajh32.exe	95
PID 3828 wrote to memory of 3976	3828	Efpajh32.exe	95
PID 3828 wrote to memory of 3976	3828	Efpajh32.exe	95
PID 3976 wrote to memory of 848	3976	Ejlmkgkl.exe	96
PID 3976 wrote to memory of 848	3976	Ejlmkgkl.exe	96
PID 3976 wrote to memory of 848	3976	Ejlmkgkl.exe	96
PID 848 wrote to memory of 4972	848	Emjjgbjp.exe	97
PID 848 wrote to memory of 4972	848	Emjjgbjp.exe	97
PID 848 wrote to memory of 4972	848	Emjjgbjp.exe	97
PID 4972 wrote to memory of 1624	4972	Eqfeha32.exe	98
PID 4972 wrote to memory of 1624	4972	Eqfeha32.exe	98
PID 4972 wrote to memory of 1624	4972	Eqfeha32.exe	98
PID 1624 wrote to memory of 4020	1624	Ecdbdl32.exe	99
PID 1624 wrote to memory of 4020	1624	Ecdbdl32.exe	99
PID 1624 wrote to memory of 4020	1624	Ecdbdl32.exe	99
PID 4020 wrote to memory of 4092	4020	Fbgbpihg.exe	100
PID 4020 wrote to memory of 4092	4020	Fbgbpihg.exe	100
PID 4020 wrote to memory of 4092	4020	Fbgbpihg.exe	100
PID 4092 wrote to memory of 1524	4092	Fjnjqfij.exe	101
PID 4092 wrote to memory of 1524	4092	Fjnjqfij.exe	101
PID 4092 wrote to memory of 1524	4092	Fjnjqfij.exe	101
PID 1524 wrote to memory of 1380	1524	Fhajlc32.exe	102
PID 1524 wrote to memory of 1380	1524	Fhajlc32.exe	102
PID 1524 wrote to memory of 1380	1524	Fhajlc32.exe	102
PID 1380 wrote to memory of 4764	1380	Fqhbmqqg.exe	103
PID 1380 wrote to memory of 4764	1380	Fqhbmqqg.exe	103
PID 1380 wrote to memory of 4764	1380	Fqhbmqqg.exe	103
PID 4764 wrote to memory of 1796	4764	Fokbim32.exe	104
PID 4764 wrote to memory of 1796	4764	Fokbim32.exe	104
PID 4764 wrote to memory of 1796	4764	Fokbim32.exe	104
PID 1796 wrote to memory of 1400	1796	Ffekegon.exe	105
PID 1796 wrote to memory of 1400	1796	Ffekegon.exe	105
PID 1796 wrote to memory of 1400	1796	Ffekegon.exe	105
PID 1400 wrote to memory of 4856	1400	Fjqgff32.exe	106
PID 1400 wrote to memory of 4856	1400	Fjqgff32.exe	106
PID 1400 wrote to memory of 4856	1400	Fjqgff32.exe	106
PID 4856 wrote to memory of 3124	4856	Ficgacna.exe	107

C:\Users\Admin\AppData\Local\Temp\a75cbb614cc2b47506899340360da63cbe90d12e0a24246ab66ab80da9cb74d2.exe
"C:\Users\Admin\AppData\Local\Temp\a75cbb614cc2b47506899340360da63cbe90d12e0a24246ab66ab80da9cb74d2.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\Eflhoigi.exe
  C:\Windows\system32\Eflhoigi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\Ehjdldfl.exe
    C:\Windows\system32\Ehjdldfl.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\SysWOW64\Eqalmafo.exe
      C:\Windows\system32\Eqalmafo.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5052
      - C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:884
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3984
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        31⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        32⤵
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:324
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        36⤵
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3676
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4432
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        43⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        44⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2324
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        47⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3600
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        51⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        53⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3872
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        56⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        57⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        60⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        61⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        66⤵
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        67⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2400
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        69⤵
        
        PID:904
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        70⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        71⤵
        Modifies registry class
        
        PID:3188
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        72⤵
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        73⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        74⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        75⤵
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        77⤵
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        78⤵
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        79⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4820
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4896
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        84⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        85⤵
        Drops file in System32 directory
        
        PID:756
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        86⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        87⤵
        
        PID:232
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        88⤵
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        89⤵
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        91⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        92⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        93⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        94⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:644
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        96⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        97⤵
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        98⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        99⤵
        Modifies registry class
        
        PID:5212
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5256
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        101⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        102⤵
        Drops file in System32 directory
        
        PID:5340
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        103⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        104⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        105⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        106⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        107⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5624
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        109⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        110⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5760
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        112⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        113⤵
        Modifies registry class
        
        PID:5848
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5892
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        116⤵
        Drops file in System32 directory
        
        PID:5988
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6032
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6084
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        119⤵
        Modifies registry class
        
        PID:6124
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        121⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5220
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        123⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5392
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        126⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        127⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        128⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5636
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        130⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        132⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        133⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5952
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        135⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        136⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        137⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        138⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        139⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        140⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        141⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        142⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        143⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        144⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        145⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5204
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        147⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        148⤵
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        149⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        150⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        151⤵
        Drops file in System32 directory
        
        PID:5376
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        152⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        153⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        154⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6060
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        157⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6184
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6220
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6300
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        162⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        163⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        165⤵
        Drops file in System32 directory
        
        PID:6464
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        166⤵
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        167⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6624
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        170⤵
        Drops file in System32 directory
        
        PID:6664
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        171⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        172⤵
        Modifies registry class
        
        PID:6748
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        173⤵
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        174⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        175⤵
        Modifies registry class
        
        PID:6872
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6908
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        177⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7000
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7036
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        180⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        181⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        182⤵
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        184⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        185⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        186⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        187⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        189⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        190⤵
        Drops file in System32 directory
        
        PID:6656
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6820
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        193⤵
        Modifies registry class
        
        PID:6888
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        194⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6944
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        195⤵
        Drops file in System32 directory
        
        PID:7028
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        196⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        197⤵
        Modifies registry class
        
        PID:7148
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        198⤵
        Modifies registry class
        
        PID:6168
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        199⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        200⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        201⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 408
        202⤵
        Program crash
        
        PID:6840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6576 -ip 6576
1⤵
PID:6780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
512KB

MD5
f80dcfc7b93dd80faec50261bc3d7269

SHA1
24481025e939518c8fa746996c2485789b4c7c76

SHA256
786f24c055c94a8e3bae8c9cf98646408d5d7464afe2a1d1c482056e28a47eea

SHA512
6e321be08dc9a04287ac495cc911594df613c7cb82bbd285fefa56ceade70ba1ce8090f6cfef3b565374b5f3e3de9c609610ef7807f360b2b9c85bab0d15bbd1

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
512KB

MD5
70bd6565f916456ddc84630269e246f0

SHA1
b86b4d9830c708a3786636755b9049460c31faf0

SHA256
0cc1bdf5b9382d11ade3984f0a63d96c574ffbbefe49b622c4a8b6bdab384a70

SHA512
bf13aadf1f1a52fee391389b794bab6423f71bafbbee54d27f30b6a293b3de064d8978891608b68469945dc11db4d02180e0d9d5a84d97e8455c80627bdf48d2

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
512KB

MD5
6cc943fac3f2f040cb3831900a883ee6

SHA1
53be434c7deef8156ef9f713bbf29e03dfe02a19

SHA256
b25bc3a7de0cbc389d4900baf4374e7d36096f85fab5787a81d2578d5559cb79

SHA512
a5f0f2586fb86ff551f8099b89274ae55f63f23084c074ef8a8598d2ad98cd14807ec2c2486c91fed5931d663d45f7cff557ebfcc696ab863e775f5a80c4980b

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
512KB

MD5
d99e14a3c7dc14dc395b44c45ceec690

SHA1
33942527cc90bd4bc0b44db7f5f90da6b8e531ea

SHA256
6dcf4c6919e01b54f348e58bc881364118fc918852966e19bc7a0f19f103c117

SHA512
f25d0e18f0269d2c6166840273979d2f3a943ff55d00eaee881605734221e8154b09cfa40c9e0e12002d791a9a9fb839432c238199858c4da25f3f7389af325a

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
512KB

MD5
d5c8081ee492fbf6faf686f5fdd2760f

SHA1
d746304bd8a4e185ca1d385e63f03f4bea4a4d32

SHA256
cf5e5835d9270e4e743bacf61dad71c4261e33459592fcba09f7cb4437fc194c

SHA512
61adbadf349067e5505876902a794a9c2ef68320f87b54aa6ce91760a78e732ddab7138063491c23dde064d9837f7e27da733acb16a075ad38cbd51f56338103

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
512KB

MD5
8ca85e2ffc2b919793263d7a77690091

SHA1
14c4ca39c06042a761cf186c9409cb85b3f12e3e

SHA256
95b80cabb7209beaf0b3e944fcb0e2a0e991cefc979100ff5e01f7f6ca109a64

SHA512
e6701355e79fbb2fd6034ea85497514e2b80dcc23cdcc8bbafb658a96d3645edf893b4eb9e7cc56ef02ca01dfdf32ff37254d7c306e7c4b1b09aa8d7d94e6a99

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
512KB

MD5
37e0e032bb5adceddff4a92320087c86

SHA1
7ff3e753b5e88465923aeb693499884c4993740d

SHA256
68df8c76f36eb2fa9f7b305c8a08ab02053b9e1fcf348d5ffd2105eb612098cc

SHA512
d8cc42d5e417a6aed0a548c0307a32ce803e7c6d752db9255cc007ff6933a685b44f52da6acbaed231c673d8a9229197a25835d5128ec6b01412776fa9dae7f8

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
512KB

MD5
bd663be54007f03ada7e31c0ebd98391

SHA1
2e842efb002b0e45b0f735147188dc901c52418d

SHA256
79627f752d2e4408df1d9ec270f87ee32a31ba51b1b7fff0bccc15a48e41f38b

SHA512
03a356298bcbc5e926d0c4f5a39f7d5f98b17402bd92325f1ae16ad9d7fbc618ad478325f71302f20d9e648e4f4670ec33b18d57f0e01b7633bca79e15661f50

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
512KB

MD5
00289e93e597508c103d18648c401321

SHA1
230be3e63edb117f8690948c7259ed457ff3de34

SHA256
acc0e7c7ed080c8b88414b387ca19dc92e2d052ca58c2c147bdbbbd82376b65b

SHA512
b762290d5d3d24c3a6d1b2c338ab4658278a9c5bcb66d09ac64be8977508a9afc4837b093a1900055f887b390e4616053a98db7a4ec66552f2f29239d18f3df3

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
512KB

MD5
de9f55cfd0ff43afc37a488e904a5237

SHA1
5910a6fd81600227a10a4e6f48094ecd6d798710

SHA256
4849bb0dd9ff432c94254a6ff3ee3c787dbea2faadb825a7150e1790fc5b906a

SHA512
a4f056e22c08a263c4df1db592d4315cbb30723c5a9104e058cfc99a7f131fb078d1e81ff2cecbe9f1811f9a34f7488e06e5dfc2d7148175c4806f7e7c2aef93

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
512KB

MD5
c10f7a17329603f271940fc2648a8fb8

SHA1
54949630e9e12d95c4a3e0fd5f059ede21eb7de7

SHA256
bb10b3b5ee3fdaac041070fee211970583ae29d1505ebb628177c60b1d90d13c

SHA512
10a2ac554f3fec14582dae56de41a72240ca4dd94717ab5f9d502dca6c2ec0f6dc5071190d94fe3225d5f65651ae0a2f32e9fab627d954ccb4e8ce88562c9279

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
512KB

MD5
82c96c2427f85c3ef870cd74272ae141

SHA1
46e3b4958873c8f9e253ce2a2a6f3e96510afbef

SHA256
e587df8a2b2195d61d8db525d1b0e8c353bade93a4c6d3618dda05f66e0147d8

SHA512
8b77a1663f8654ec5d0efab18fc53e4d01d7679829d05063f734afa76dd8ca1276215651c3a4e486a0e6257ef8c9674ef37a1938322207cfc2a948d91b467878

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
512KB

MD5
d9c66d918ba5382231d67e28fb8a489a

SHA1
fd3167ae411984d07549c3e781ce0b44a613ff7b

SHA256
63f46d2731d7c7ce04ded3ed3b4ab420d77fe99fd1d0c9134e954a228e13c99c

SHA512
ee8e75fa01d70116a6b2e0c1e02b4875372e07a4cfb8c8ddfb3b87dcd4989345b1464e4df389bebd53866980e57f812a1bc352216d174382cba1ef10bd813edd

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
512KB

MD5
30285c637b86014b62665a9780f5623b

SHA1
652a9b494c3879679f09dd69059bc76b156c755f

SHA256
dc2daeb8ffb2c7e728e5c58144b8a7b75bb056d1aa99b26bbdfb3873860a742b

SHA512
d72a182d53b98b656b3bc6d4176158dbbeed2cf2fac44d0a277a60a75ac42aa94e2466d05c934a9891b892c87193d5d3c484a8684d4d1876b506b4f586a1f136

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
512KB

MD5
84012cb37a044999a9d8f5606d8df076

SHA1
ad85c0f3b7e17481552f6d8342e59977f7841019

SHA256
ad1c68c1ca05b374471fac7c96d62e7a1dd723638de352822703091906b2f053

SHA512
d98247d106bde91c891bf466020de9d133d88b673aedb585b224b4ad1a5105c5ca19d629a2849cc160abb8087b68798d1b33a3fd6ccc8967c0e536a488c4aec3

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
512KB

MD5
239366c2e6cdfbd4be85cce3b9747aa8

SHA1
88604000b5b034c8aa20092ddf13499509c00123

SHA256
9004719d149af6e4ac8fa3ab2a5d3d62b0b9b0c6489eee76f7fa3160f7b230cc

SHA512
3db7940f476c422e7189e2edf7e25696650b0011c23d404a71d016a8f4e5d9a75ed3013b81044ce38f004e5076982eb08b9d864fb39ae5972d3905fcca94aff1

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
512KB

MD5
995dd4894146199dbb1bf1cd4212845a

SHA1
1a41e349da1fb467ec0e778aa8780c4c8cdf314a

SHA256
240b3420e363bc09a2f94d5574bfb9e65c79edcf4bffbe88afbf746475631234

SHA512
d50dff4aa0f6a7ecd7b853c639adac521ddea2ac1430dbe006d92e1795cf4c22e5e6ace0d77ee254ac5c3f43eb93a7e1a40bc6eb5db47eef3302472f06e7cdb0

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
512KB

MD5
388bd8c846f225f7cd5c75495b150f44

SHA1
f5603f88c2fb78f24e9666c546536cb854d7281a

SHA256
31effac78e91f83d3ed6653086614741d2b1004f9deb59c552ec2d431aa1296f

SHA512
9a455332779ebce4198777f79a5f1b9c6e83418093e346e7032d1fc52033c1421c14d8c45393d85f2bcedc7f4c5a952d70a653b22b0f6a37d79c605e11ddf503

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
512KB

MD5
f3c182afa9bf61f1b78375de6611d04c

SHA1
1de87d5146d2e7634a7cfeefcd8a2a25599c2bc8

SHA256
df7f78b6d29ddb0b5f83d1e12bfc794e3f3f69191ae3f226a32f0119bc387325

SHA512
e8fd3ecb261ca390a9dd4f69b25771892b5d8e3bc347d62d738742acac7c8aa2064c891d6b1cdde91e900a060081d38fa58c52b34bbdfeed026774d5d2732987

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
512KB

MD5
ed17b2281792ede5deac59f145440c9e

SHA1
bb543e9db450441774033dcab133c613d7262204

SHA256
4870020586a428a02068e32692d9b2f494827dec126da9987eadcdd8023befb2

SHA512
4b030244e815874bb938838bd0f85d1c6c595bae2c45b2b30ab35918a3213ee3e073b994a682775aa602abdd9c045a5af0a6018f5d7ba616ad502aff05f38c9c

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
512KB

MD5
03cf17df66437ffb9168ad229eeab638

SHA1
045e193b0964adf6258ed87c79428635eda4b222

SHA256
af90fdf9286dd1b1aa04dd9f98082a38afa0262f2d18d84eb1bae6c26c83e4d3

SHA512
769d4543a6fd2fb5df58d267ece96eedc681c5c57c3001524275f0d865b52af715457dce5f1bd6a3f2a35b50718e87afe0a2a18046d88d0dec07a7a1606f70dc

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
512KB

MD5
5ef4e20f13f6348367b45364b7ccb9e6

SHA1
c1c538279d40019ed7e17343313035a3cb589a44

SHA256
280ef20e37d00b72b6f8bfdd9eea0b7fbaf168fda7efd307922bdf4b68893746

SHA512
ff08de8c6993966fe43bd79d5cb3b0cc50191c598b0ca8912536fb03af98e0e7f0fdade66317eaf5455deb9b748828e0fb1054cc7b2e23ac14a3ec5fc92f294a

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
512KB

MD5
6bd95697383cd940f7c07f4fd6b036f6

SHA1
a702e518a85dde1446ea14d73ec41a9e05964d43

SHA256
dc838566d4a3d2778d87a0b460b9e38cdfa5ffd93bb707ce52a2cd2e604301bd

SHA512
91b93e858d9d3f9981ec2e1add17b55caa346e0824489d69cf1448d93a8fe8da0663b23c53bd4da165702e5cd82b2daa67bf2c3d64398ebbe6b53fd579fcc811

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
512KB

MD5
1c96cbe98ce9b353abce030eff939d61

SHA1
fd5ae883d557ae2b742af6afe52ef594c4fe8aaa

SHA256
12c5768d45d6f2af7042adec418302091105f3296d59537dd9d0da08dc3b132a

SHA512
0619584a210628de999ec7f4fa574a66522bd96f50d16c1a7ecd084e37e213412e7265b3198e74442912fb0a2483f48beda1db30c43b3f5c8d3d3fcf13af30d7

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
512KB

MD5
5a4c9dd8e3dee60f84b2db7b0de38b3c

SHA1
40535804ecaad602e62817c3764d29c6624d6874

SHA256
51dc857c6e54362b4b0172f34e5997f889a170d83561f6df7d105361920d0fe8

SHA512
f20be0c199ed4fa86bc29a2e36758fb89bcff90381ed5c6c2acfacdfe109522d945f352eacce6658bcb76ec9733280d364d287c8a4c8f92ca620fe2c69c72f51

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
512KB

MD5
07a23a7f6fb0b54bea868fa5dfc12068

SHA1
53179103d92280afc21c299e7c6a6f4e64380319

SHA256
5c7df828cac35a322f5776b24c7faedf4efd9988bf97afa7e966121286c7482f

SHA512
d6d5ef936cc992465cf1f3b3007730b92b920ff7f37d0d61142e901eda181bf36a12fe7fce31ad7fa73cc6efffd13f61d906288b94796b38004046ce33b70beb

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
512KB

MD5
833c409e861ba68938ab8edc7d1b1f48

SHA1
001b8c3be555b3f8c815520c6c4d402b65d57ea5

SHA256
3160a9ff8db29e4a47fa1eccf881c1a80e7adfc94823443b08a661da7cb12f20

SHA512
fd338df5320bd1fd88c393916c7142e02a5a9a14730676703873feafadda44954020a3c5d72136d6132c110a375382b99c7678b2638c5aa47e2a38b4f16b1117

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
512KB

MD5
338e4292f92260422b8b733b1a0d16a1

SHA1
e3a320d3e5483de962dd0fa9a0957a0dc240aa1b

SHA256
f95ecd727753ec3c015c5f05181b8cbe48b575e7031ac1faf9f96b8cc29e9cd4

SHA512
3396af341404ee8bd2dd214a4bd9f81da270083aaf56b3a15154695026a628ade2cac4c1116455f8870af40d60be5f0173f316fcc4d99fa18916779eb2a08cb0

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
512KB

MD5
5431e2fd847762659ae09237ca848561

SHA1
fd8abdf0190f388d2543f0791828069c2d12188f

SHA256
3aaadad7e089f572fe2407658fc44df9ab4452ea7d3751174b729eca6bc4a328

SHA512
6ecaa8a4cd085ed320d229e2035f2ca7b6456ed17a4fa98562866fdc5265905a13dfce69da970186b7f3161bc738767f6814a2853085792531bf08c57f34de26

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
512KB

MD5
8dfd23f3226a3c25f2a71229a25769f7

SHA1
a688183088ac88081c3510980e7d1cc0c8d44515

SHA256
10d0a8c0ac65ec4fb9b20336fd5909531cce224c2f15f45c185c4c41a9952d5c

SHA512
5395629c712a0799ba0b9a1fb547cb001639fee6bd016e978e4aa51c9a4a8e136af2116e3339aa9058b5395f9d3c2ac8c9be1aade4043a3b96f7d0cf09cc6e01

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
512KB

MD5
16d282348d7094eb35df56c3926fe899

SHA1
9c11b3222daf789e52b791108a27cf0299480e22

SHA256
ed30e0566640582fb063e767a8c583e1a32962cd95b80904452498416cbdb376

SHA512
e4e7e5577ce60c2b8b21055edb9cb230a1163eb2ba3d0cb4935363b08987481678de5cdf06dfe06d720540c96e1d7a90247218e45b34d1cc0964194bae4768ea

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
512KB

MD5
0860582eba24996890d7cb79f9e3beda

SHA1
19f0ece4411d6c651a650a05d82e6c5e1e1de93f

SHA256
e9a6bc8f90406b0ccd6374326d1d452e4880f2508560d2ef5a7e15ac4095197f

SHA512
8a04bd9266bdb878f3fa95b51008528f37a83d3e85d21750640ff94eea97990e12efdd1efc09840cdeea1fbbd69ebee3144f0f89e721ee027742ef54e3065bb6

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
192KB

MD5
bda61de047a26d75f26bf8bc6af281a9

SHA1
b13ca02713764fa2a276c132f068632cc7b0c0d7

SHA256
ba84ca9481e4585aa174ec3783934f1b0831c070ec10a76c72e430a4762b7c80

SHA512
98d793242d54bb30147dd65bcc6c099601d98ec3d8d5b7cfb0fcbf555519a8943f31b2db56d8e55f604dfe2ce23dfec235134777684b6c4725543d851ee935f7

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
512KB

MD5
a465ead089a31e4499e0e1a2f114f490

SHA1
475794bf595f73c2077d609cd6fecb9cd50862c2

SHA256
fe38f1a1b204d965be096e1cad081e5ca4f58bd4ce37195edb7a79134946b2b6

SHA512
118805d7e8986db75a1c80764c70422ace59c200fc76c19580dc231c90e9cb08daa67a6b999558ec2fdde9c504f30e01b90d2c38d68b84f08fd0dd77d5231581

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
512KB

MD5
62b58dc3034b2fa80400071ccc4d2e68

SHA1
469f0661eab1eed01d08da512c253839cf9d2abf

SHA256
f57ebaefc74775427aa5e15f28c677a1e38e5f612b4514822f21c837a98ef5a8

SHA512
6764ce78eeab544d9d3d7a8a7b73b2421af26cecddaf28d5760155030000a83761e01ca92c7c3f1e78d2994058ed30b189ea35d9aa44f4cf0808afd3df7d75ab

Download Submit
memory/324-517-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/404-578-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/848-459-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/884-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/892-523-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/928-492-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1056-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1380-480-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1400-486-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1488-595-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1568-565-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1624-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-596-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-485-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-540-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2116-445-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-548-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-1326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2476-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3124-488-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-531-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-499-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3228-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3328-1321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3336-547-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3456-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-516-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3600-555-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3652-602-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3676-524-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3680-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3776-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3828-451-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3872-567-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3944-446-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-453-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3984-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3992-586-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-476-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4080-572-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4092-477-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4184-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4196-593-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4332-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4364-591-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4368-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4392-580-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-525-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4432-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-566-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-484-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4856-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-592-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4972-465-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5052-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5204-1325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5368-1332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5460-1314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5604-1330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5700-1323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5736-1329-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5876-1317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5920-1322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6060-1316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6112-1315-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6184-1313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6220-1312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6300-1310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6340-1309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6368-1272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6392-1285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6448-1271-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6500-1305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6544-1304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6624-1302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6708-1300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6828-1297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6872-1296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7036-1292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7164-1289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads