e4963f482d8c93e73cafebc64bd79ac46809b2f8bf2826fb8bafcfd343f39a67

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4963f482d8c93e73cafebc64bd79ac46809b2f8bf2826fb8bafcfd343f39a67.exe
Size

483KB
MD5

b3b8be54fc6ac5bb031dea5a3dce7863
SHA1

eb605ddc7453319e420455a4095f0591d2eaa555
SHA256

e4963f482d8c93e73cafebc64bd79ac46809b2f8bf2826fb8bafcfd343f39a67
SHA512

bc0531849e17713e62f7cf7e1eb65fe2cb1f940142dd8a9558c2cca9999ee164e6f4c1c4f71f432bb547056b62703094f9627e8475815b98a794862c6ae274d6
SSDEEP

6144:M05nYsb5CRVrtv35CPXbo92ynn8sbeWDJk4sNnVCj:35ARFbet4OnV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqciba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eckonn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe

Executes dropped EXE 64 IoCs

pid	Process
224	Dcfebonm.exe
2132	Dpjflb32.exe
3528	Ejbkehcg.exe
4936	Eckonn32.exe
1564	Epopgbia.exe
3372	Eflhoigi.exe
2676	Eodlho32.exe
1656	Efneehef.exe
3652	Eqciba32.exe
4824	Ecbenm32.exe
3480	Emjjgbjp.exe
4956	Fjnjqfij.exe
4740	Fmmfmbhn.exe
3000	Fokbim32.exe
1352	Fmocba32.exe
2448	Fomonm32.exe
1232	Fjcclf32.exe
528	Fbnhphbp.exe
5064	Fihqmb32.exe
1056	Fflaff32.exe
3576	Gcpapkgp.exe
1300	Gjjjle32.exe
1900	Gmhfhp32.exe
2840	Gjlfbd32.exe
3388	Gmkbnp32.exe
4984	Gbgkfg32.exe
4996	Gmmocpjk.exe
2408	Gpklpkio.exe
212	Gbjhlfhb.exe
3320	Gpnhekgl.exe
3420	Gameonno.exe
3940	Hclakimb.exe
4688	Hapaemll.exe
4152	Hcnnaikp.exe
4072	Hfljmdjc.exe
3052	Hmfbjnbp.exe
516	Hbckbepg.exe
3948	Hjjbcbqj.exe
4196	Hmioonpn.exe
428	Hpgkkioa.exe
3436	Hbeghene.exe
4564	Hmklen32.exe
1728	Hcedaheh.exe
2636	Hfcpncdk.exe
4320	Hjolnb32.exe
1396	Haidklda.exe
2604	Ipldfi32.exe
4580	Ibjqcd32.exe
3092	Ijaida32.exe
3292	Ibmmhdhm.exe
4308	Ijdeiaio.exe
436	Imbaemhc.exe
4268	Ibojncfj.exe
4528	Ipckgh32.exe
1164	Ibagcc32.exe
2612	Iikopmkd.exe
1624	Ipegmg32.exe
432	Ibccic32.exe
2320	Jaedgjjd.exe
1440	Jdcpcf32.exe
3648	Jiphkm32.exe
4276	Jpjqhgol.exe
4404	Jfdida32.exe
1584	Jibeql32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Gmmocpjk.exe	Gbgkfg32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Eckonn32.exe	Ejbkehcg.exe
File opened for modification	C:\Windows\SysWOW64\Ejbkehcg.exe	Dpjflb32.exe
File created	C:\Windows\SysWOW64\Jpckhigh.dll	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Gcpapkgp.exe	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Hclakimb.exe	Gameonno.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Dpjflb32.exe	Dcfebonm.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Dpjflb32.exe	Dcfebonm.exe
File opened for modification	C:\Windows\SysWOW64\Hbckbepg.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ocdehlgh.dll	Gmmocpjk.exe
File opened for modification	C:\Windows\SysWOW64\Hmklen32.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Hcedaheh.exe	Hmklen32.exe
File created	C:\Windows\SysWOW64\Ibimpp32.dll	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Kaqcbi32.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Egmhjb32.dll	Hapaemll.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File opened for modification	C:\Windows\SysWOW64\Jfdida32.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kmgdgjek.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Emjjgbjp.exe	Ecbenm32.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Eflhoigi.exe	Epopgbia.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Fokbim32.exe	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Fjnjqfij.exe	Emjjgbjp.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Neahbi32.dll	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Gpnhekgl.exe	Gbjhlfhb.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Efneehef.exe	Eodlho32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jkfkfohj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5500	6088	WerFault.exe	223

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmggiogn.dll"	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichhhi32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfliccm.dll"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efneehef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggdddife.dll"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpacnb32.dll"	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bclhoo32.dll"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebapp32.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgpaojg.dll"	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmhfhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqncfneo.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fflaff32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 224	2072	e4963f482d8c93e73cafebc64bd79ac46809b2f8bf2826fb8bafcfd343f39a67.exe	85
PID 2072 wrote to memory of 224	2072	e4963f482d8c93e73cafebc64bd79ac46809b2f8bf2826fb8bafcfd343f39a67.exe	85
PID 2072 wrote to memory of 224	2072	e4963f482d8c93e73cafebc64bd79ac46809b2f8bf2826fb8bafcfd343f39a67.exe	85
PID 224 wrote to memory of 2132	224	Dcfebonm.exe	86
PID 224 wrote to memory of 2132	224	Dcfebonm.exe	86
PID 224 wrote to memory of 2132	224	Dcfebonm.exe	86
PID 2132 wrote to memory of 3528	2132	Dpjflb32.exe	87
PID 2132 wrote to memory of 3528	2132	Dpjflb32.exe	87
PID 2132 wrote to memory of 3528	2132	Dpjflb32.exe	87
PID 3528 wrote to memory of 4936	3528	Ejbkehcg.exe	88
PID 3528 wrote to memory of 4936	3528	Ejbkehcg.exe	88
PID 3528 wrote to memory of 4936	3528	Ejbkehcg.exe	88
PID 4936 wrote to memory of 1564	4936	Eckonn32.exe	89
PID 4936 wrote to memory of 1564	4936	Eckonn32.exe	89
PID 4936 wrote to memory of 1564	4936	Eckonn32.exe	89
PID 1564 wrote to memory of 3372	1564	Epopgbia.exe	90
PID 1564 wrote to memory of 3372	1564	Epopgbia.exe	90
PID 1564 wrote to memory of 3372	1564	Epopgbia.exe	90
PID 3372 wrote to memory of 2676	3372	Eflhoigi.exe	91
PID 3372 wrote to memory of 2676	3372	Eflhoigi.exe	91
PID 3372 wrote to memory of 2676	3372	Eflhoigi.exe	91
PID 2676 wrote to memory of 1656	2676	Eodlho32.exe	92
PID 2676 wrote to memory of 1656	2676	Eodlho32.exe	92
PID 2676 wrote to memory of 1656	2676	Eodlho32.exe	92
PID 1656 wrote to memory of 3652	1656	Efneehef.exe	93
PID 1656 wrote to memory of 3652	1656	Efneehef.exe	93
PID 1656 wrote to memory of 3652	1656	Efneehef.exe	93
PID 3652 wrote to memory of 4824	3652	Eqciba32.exe	94
PID 3652 wrote to memory of 4824	3652	Eqciba32.exe	94
PID 3652 wrote to memory of 4824	3652	Eqciba32.exe	94
PID 4824 wrote to memory of 3480	4824	Ecbenm32.exe	95
PID 4824 wrote to memory of 3480	4824	Ecbenm32.exe	95
PID 4824 wrote to memory of 3480	4824	Ecbenm32.exe	95
PID 3480 wrote to memory of 4956	3480	Emjjgbjp.exe	96
PID 3480 wrote to memory of 4956	3480	Emjjgbjp.exe	96
PID 3480 wrote to memory of 4956	3480	Emjjgbjp.exe	96
PID 4956 wrote to memory of 4740	4956	Fjnjqfij.exe	97
PID 4956 wrote to memory of 4740	4956	Fjnjqfij.exe	97
PID 4956 wrote to memory of 4740	4956	Fjnjqfij.exe	97
PID 4740 wrote to memory of 3000	4740	Fmmfmbhn.exe	98
PID 4740 wrote to memory of 3000	4740	Fmmfmbhn.exe	98
PID 4740 wrote to memory of 3000	4740	Fmmfmbhn.exe	98
PID 3000 wrote to memory of 1352	3000	Fokbim32.exe	100
PID 3000 wrote to memory of 1352	3000	Fokbim32.exe	100
PID 3000 wrote to memory of 1352	3000	Fokbim32.exe	100
PID 1352 wrote to memory of 2448	1352	Fmocba32.exe	101
PID 1352 wrote to memory of 2448	1352	Fmocba32.exe	101
PID 1352 wrote to memory of 2448	1352	Fmocba32.exe	101
PID 2448 wrote to memory of 1232	2448	Fomonm32.exe	102
PID 2448 wrote to memory of 1232	2448	Fomonm32.exe	102
PID 2448 wrote to memory of 1232	2448	Fomonm32.exe	102
PID 1232 wrote to memory of 528	1232	Fjcclf32.exe	103
PID 1232 wrote to memory of 528	1232	Fjcclf32.exe	103
PID 1232 wrote to memory of 528	1232	Fjcclf32.exe	103
PID 528 wrote to memory of 5064	528	Fbnhphbp.exe	104
PID 528 wrote to memory of 5064	528	Fbnhphbp.exe	104
PID 528 wrote to memory of 5064	528	Fbnhphbp.exe	104
PID 5064 wrote to memory of 1056	5064	Fihqmb32.exe	105
PID 5064 wrote to memory of 1056	5064	Fihqmb32.exe	105
PID 5064 wrote to memory of 1056	5064	Fihqmb32.exe	105
PID 1056 wrote to memory of 3576	1056	Fflaff32.exe	106
PID 1056 wrote to memory of 3576	1056	Fflaff32.exe	106
PID 1056 wrote to memory of 3576	1056	Fflaff32.exe	106
PID 3576 wrote to memory of 1300	3576	Gcpapkgp.exe	107

C:\Users\Admin\AppData\Local\Temp\e4963f482d8c93e73cafebc64bd79ac46809b2f8bf2826fb8bafcfd343f39a67.exe
"C:\Users\Admin\AppData\Local\Temp\e4963f482d8c93e73cafebc64bd79ac46809b2f8bf2826fb8bafcfd343f39a67.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\Dcfebonm.exe
  C:\Windows\system32\Dcfebonm.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\Dpjflb32.exe
    C:\Windows\system32\Dpjflb32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\Ejbkehcg.exe
      C:\Windows\system32\Ejbkehcg.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4936
      - C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3420
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        35⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        36⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4320
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1396
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        49⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        51⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        55⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        57⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        63⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        66⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        69⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        70⤵
        
        PID:512
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        71⤵
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        72⤵
        
        PID:440
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3308
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        76⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3428
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        79⤵
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        80⤵
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        81⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        82⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5248
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        87⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5380
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5416
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5464
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        91⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        92⤵
        Drops file in System32 directory
        
        PID:5556
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        96⤵
        Modifies registry class
        
        PID:5732
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        99⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5960
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6004
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        103⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        104⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5232
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        108⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        109⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5484
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        112⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        113⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5720
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5764
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5940
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        119⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5192
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        122⤵
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        123⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        126⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        127⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        128⤵
        Drops file in System32 directory
        
        PID:6000
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        129⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5364
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        132⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        133⤵
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        134⤵
        Modifies registry class
        
        PID:5900
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        135⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 412
        136⤵
        Program crash
        
        PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6088 -ip 6088
1⤵
PID:6128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
483KB

MD5
b88432c3756b6057eafd71ea8a6a039b

SHA1
2da9f019e45b0df12443e6856ca8573112c4344e

SHA256
8a31f07fe8d0154aeb4caecee191e806d928ce90ad376ebd413b77b35913f50b

SHA512
2ff21fa8bde6747d8fc995ddb73d79dd28a99abd3fc4c2a146751351ea2f1d9fadf66b19c5fe159406d99adaea8b87a9df262ceb968894c4e4b149d750e53a02

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
483KB

MD5
3d4a0e0b075e78349bd981b0382d4675

SHA1
551e78e14eaecc0b71541f32aa988b308be1bd06

SHA256
dff6de32ac5576e68d7f36dcd2c03b36ec91b79d40f7cf4316c20ad2c7859cea

SHA512
335b22f178cb9dd658e02f52bea8f1401b66888397c193c80eea0a5e4b3c2aca9dfc7baa426fe30d3abd31b31eaff1a4bf8be9cbf11138d30b18d70a6165bb42

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
483KB

MD5
0eee00170d0115214d9460d25c363a97

SHA1
0f0f7dab99bb7dda7bfbefda378dacbc24b17979

SHA256
4d10d8affd6ea99c4865ccaa464d7dc3d85bdd006d4cd83dfae2de8692f05a97

SHA512
07cd89a324006d94d460919477779890d7500b3941fd72f6b0e585aa0f05b8fc8a541dddee347bdde2ffb46faba10a044c9d680d87daa69c119b36b0e8d4edb4

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
483KB

MD5
74d7434325fa3f274252fa4873640925

SHA1
0f44d6894205ee3dbe9fa4d5215d779abee0fa27

SHA256
2e85c8ae9dc4cfee273f4a48480c5e1b0b576dd6d4ba59beaa498a222fff17dc

SHA512
4fe49c55afcb4595dd1d25c6d1e1cf0cc1cd8e0ed06ba8456e46abc828619d8e2c14a3e8e1b16ace4892c9256ba0d16cda3038ad8a7125443ad18e6fea8ac096

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
483KB

MD5
76f448233530a4b578bb95da82e45de0

SHA1
ab917d9040235f3b6477d369a10a0bdfc933d6c8

SHA256
405f2b3eff23a2ce24187cf68d071fc3efb94dfd5adb2589b298382c643b2c01

SHA512
566e228f8a526d33ea06ffeb68f9d66266558a35b6d96bf0b91f1b2c61c6c440f6527cd6748b3ce6a4458756ed4cf54efe05d7729477d51848b13252bbf219a6

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
483KB

MD5
9e09d2bf99c961df227974e7233da4c2

SHA1
0cfff25382ac49b2a440e1320c2ce21701ff7e67

SHA256
3a8d10c4087150a3c6c58f818025ad9285f6a1115ae0ea4f55cb938a5d1eaccf

SHA512
03e45b0eca25e4bbcfa515cd847da5ac24b1202cfbf6b08911c4dec30a6fab1237920a358035e818567ec55fb43e1716a7562b82318aa71e488f5c6d397538d6

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
483KB

MD5
5e094974b4619db46fa0c6bd2128c150

SHA1
033eacb11d906ad238cc34bc621578652a5d64f8

SHA256
450ac0709692302690eda0de96b2f9a69e2aa71c7cafd209cd0354f0b5a2a577

SHA512
d539844db88866f4201bd6471d98aa19db3e5d4282b92244c537e1fad35aae16c1a3dc43c03a2d6c91ce3b292f9fa425cfc8e8b5271623cafa6987934b0ea39c

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
483KB

MD5
d088abce8e871b9c72ce3fd028e7b475

SHA1
568d520b254efd9a91310f048f037d48bfe7a2ae

SHA256
8d0fe0c041910ced9ad57870b2a2d5e8f1060841725d95f7d758716872cdfce8

SHA512
1614c9b53a5f4d5aa6953507955679a7ff16b7159a9c47ed65e5f0cebf27654ee8ec3e03b7209680d63d951b99a702cb643728cc7489ceff905d948f8f781e1f

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
483KB

MD5
316ca6d3382e229a5494b4c26dce36ee

SHA1
bf920ef18fb3caa588e5e4a6d90012fe4c7cb6a4

SHA256
4c4a847fcd41de6a4e4d18662ad871ca45c45fe41b522683f9da913a8a7d18af

SHA512
1df62fe6d8b884c00b026b2859c1ec2c29cc451a25e812a01ea6395550f53de5631629ca02ab535ba1214f766a3af7ed1a7519dde219339c5a7dd2f791e710c1

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
483KB

MD5
e8203bdae1a92145f2972df1fd583c29

SHA1
1f8099d20fa4f89b21f6631b2f9e20feff2564df

SHA256
91ec5d5299e6bebd5db78b4f6dc7b092c052b7becc504ccbc6c9973ba0511454

SHA512
1b70b02fb3ead0c2edde3d66866a2a8ebf206248e9b5034b654933774f2929a12d6fd97448411d9729d60859b28fb5bc7fe1c3850d976458aa8e1de82e85e163

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
483KB

MD5
492793c17a11b3e997e5e1f06e45a9b5

SHA1
acb038c39f9c2f2c3941ed102a1a1476cc5642ab

SHA256
d85c828920d093694dad4980bc36861b2648a12a7559df6bf0ecb925f2aae20f

SHA512
2abf347f3260fe12c4d5d7998301b1c2444e8d32c31591502dbd9f2665cd7a11e9e63c320772709909a638ddf92e7b599ef85c06178474097cd1dc28613243ef

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
483KB

MD5
a33b1831ba924d51e12c1e220f2b264e

SHA1
0b33616ee00a3fca5fddea4f90c6d038338b5ae8

SHA256
7cacbb5078399e6360ff017b7892a7afff3abfe9ed34bbb6f05167703e77f8ed

SHA512
cdfc36a6357639693b6324cc6de2783af995ecc7f6a1362c57050f16d6f53256db47e0c29e668d594b05235a28181c6c461667396ba11ea57cd44adc06d8f0af

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
483KB

MD5
0fe4528124ac251e6a3e7f5ee2d77cd1

SHA1
dd1814073450b65a1715adfc99bbac1338fcf5aa

SHA256
ba974b7acb872251d17a62cc2be764c7c06658bf2ff1d33ad5483cf6610bff5a

SHA512
e6728ecad28d1b0520c769d58f00d9a93f64ef6d007a60b116713e0b5ea6352e2eb67157bc54a433df6d2c4d0bc503230b787bf62fd1881263f57e3ecc78f863

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
483KB

MD5
9c14acb627a04f175ba67e0ffe849468

SHA1
46fcea7e38249fadc75339205ce855a7664b6199

SHA256
d2961225370fc458c010dbf35df2acd75d290ad151755960bd30478eb815340a

SHA512
92bd375bdcb4e1d918f864d20beb6c2dfe814726d4ec40cdb856c9e8071c7f9de165917992c16fe9dc304da1a78c88a67da31838b3bb772851ae533e2863da10

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
483KB

MD5
52868cc33e8e604985c856237faaa458

SHA1
f932ea93b9f69964dbab074787ab614892318a73

SHA256
5213a900d94562b72df72aac152f7b7fc85b33ddf71d411bff796ef93a28ef4f

SHA512
526be249bbc50f73da42f32eece22a2e30cb215f49c86cde38d56bc378bfba27fabfc08a13ebb451012719788f6a4d92c0879faaeba4199febce835388a37de1

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
483KB

MD5
aed9e295054fefaa7175f4ff631f2b6d

SHA1
55fa0365b1fd79e4a11584f58b4aa2ac60fc7a6f

SHA256
69e0a465742bcdb96dc27d1458384accebf7a0229e351a061b19ebba824da337

SHA512
f00a263f846c76443f6a42918a95d3bd1308ad27c9e90315c036c6482035741f836f1bf8fa8c24af5321f695bbf537f39edb47bed592d54ef7429d9c1c0c2a22

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
483KB

MD5
5d3121378fe9cd0998bb1aa08cdfaece

SHA1
26daabf3caef663cfec055b8d4888ebb3a8cbc6a

SHA256
f0b3695b023d8162a309d04c357f8166201ae05ac9641d5eeb6caaa709d27694

SHA512
5660c3af627a31ed40afaee6b825ac210696ff63b5a95fe04ed9e2ab7ce21c93c9b4ece0285ae8a99eb9115c2990c4edd252d8c714fb0cfc6b8d008a88dfd6f3

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
483KB

MD5
727241ecedef958e1ddafdd48290c8ce

SHA1
ebae26d68843dd16ab8988fb5685fe86fbcdf5cc

SHA256
e87a9da8e2ad64b991a2c0eba6dafa426f9c406cd3d7e1d51c0aa0bc526740cc

SHA512
000b8cb69c71fd14da8a6ae7d41887ccab9d7ee9d8b5a633ba0f1d1e5c9b8558a5fee4024d941fd168ba5699da8007681b6b923e3963fe8df29478d737c77809

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
483KB

MD5
dacd7c9e702dcd0fefbcb597412233fb

SHA1
1c28f8709f86bdb4f066ae5676e8309733d60167

SHA256
bba2976b27dfd862b65e5cedb420f796b27b64886785bc65ac92bbf9cdb6e05e

SHA512
8eeaf9bd23b338c7301ae6c43db1d909abc9e57d7d753c45fdd3742aab5308df66b71b8cc9a114dc3cd0b13f93d41dbb913ed720f7df85be05b9fd17a7bb2534

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
483KB

MD5
0bacca6f12d5dab60af290cb67b1cfc2

SHA1
bbdcd2cdd309fd30b5505d0e27534ec9e2791432

SHA256
e35cd81eb01aea222abe936041ec6fcfcf728517a534e4e82ea01c9ea8af145e

SHA512
991aafd0f21e2b07af65268e7ceaa95d4caa9880673385c2f9e3e8f83d835f8bb4aa17ee5a73a7b5d1a9c0c9c38f3d7c36f6d86f79725b8ece7edd4502f77e29

Download Submit
C:\Windows\SysWOW64\Gameonno.exe

Filesize
483KB

MD5
65219cb8b3dd7dc0d5c0d850b030c222

SHA1
811f9d645e1702be15fe93c268e1037ae3b1c861

SHA256
c4a6295ba3e25d4a6078e556b614165fe40e6c210ddb1793128a66fa05c37962

SHA512
09aca88610eb50ba457ed9cafacb6d3ca168a1d6b0ef7ca2666917872c164efc4e517a51b7728237b2addb42879f9509e8b7861ad9d5d531f1f826f8fff7fd43

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
483KB

MD5
ef069a02ccb49bdbd151a067593d22da

SHA1
17bd0b0c00d5f27cd8f78c9901be4a2783e67ff6

SHA256
c042d8de02ebb7ec4b1bfc91c17a7c53bb188aa5303e50f9561112a90c0428b9

SHA512
8afd6faa28cd265de3093560ab4374bdf6e09903e75c640ed63b4ee5f2d82e4a0f13305e13b536afada22b1a40b6a07717c3d2a8f2918499aeda24250d202b2f

Download Submit
C:\Windows\SysWOW64\Gbjhlfhb.exe

Filesize
483KB

MD5
d43596ff778711fba293344429b91734

SHA1
72b9ea95437051b75c5309e77eb3eae4c87ca2fd

SHA256
90e3fbdb47a360f8c5731e1be6b21e2e6261aec05b95965e6e29422065ea43bc

SHA512
7d1711cd051176e6150d4d3e5ed17fac45f9146715e3f3d602710532f45d79f235300efebbd8f65f89a2144e9095601f2772f955f3208e0bc6f9bf25f0428668

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
483KB

MD5
f7892113b5b2822f814e93307f0d5e46

SHA1
f7d65c072008563fa6952c50731a0c5eeb7131e4

SHA256
ab173b3509a91713fdd7d443d00dea6bff9fef82d39953119843a76515dd05f7

SHA512
edc1c1113901b87b922cb3eb7880117616d39975a17da50ccd909ab28e32ce298d77ad36ae2261339baa37acb2e9fe4ffd8911d21b7b9c698d9d2eb2dd35e348

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
483KB

MD5
5598329768c46224fa19dc5077314bfd

SHA1
a7333b4051b69f3ed90ed29d108f19009272a885

SHA256
af1a44ee04d84af8f545a5dda17c9d44a2c98d7245002083cdafd68b8e070494

SHA512
693bd7217afaa197d6794c12c4975a65d11fbe74a3f1f67ad700fbecb0cba11497b3b77accb22d804537bb3de30ce211d69fe224ea37dc95ec26359d3eae2007

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
483KB

MD5
9e91afe8c2cbb0707ab6b7f4dabca72d

SHA1
cc9642209b03ac3420ea4cfd250cc9e2de77dd1e

SHA256
eab8c793ec04f5b8684775054b8417e4a76f9296dbff6098f97767dac9cacf51

SHA512
a9c887f6915c53d11efe665a99c45d7a44844e47f640d8fa98255db06a141b1aa2253b1377cbe650e59394d288ceba8eff199cc4a88e998b1ed03444f193cdaf

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
483KB

MD5
2ec4bcd405cf800d4a43259d7d0faaaa

SHA1
f9e3b3bd4e5b9d57932fa1711cf086fb237cbefe

SHA256
671f37e0c9b68532476c7cda539f8517827b653d94d6c2d52d097c44209a3e53

SHA512
f560135e541eb549cc00301f41655772490d7519b0e5c7e68786df7e7381b03b706ae8c532184665ed2819f6e9fda802cfb0d27a28bb2b764ae82e4811903adc

Download Submit
C:\Windows\SysWOW64\Gmkbnp32.exe

Filesize
483KB

MD5
a58740efb56f661cff139a68a138fcfd

SHA1
0cd16accd02a9129c96d5c4c1c22e956ee22be23

SHA256
1a97d28218664815d30415aece1c87b2914e5086c600193e99088ef09e6c1154

SHA512
201290f7c676d7e492cf4baaf007032e61b077ca2be4803399ae36c405bd0ce9309b40393372784c65b94a1a348121ddcdb355e3ee6c90009147029063917e36

Download Submit
C:\Windows\SysWOW64\Gmmocpjk.exe

Filesize
483KB

MD5
6d63996fe8c1b30e3eeb14275ec5e11c

SHA1
c2011483c2299a016a6d37721a7babb00d35258f

SHA256
79e8ff1ed2f5c91d76286ce24987ba9501589d27e3f87b6ccfa25cb917c1c3d3

SHA512
b44b263342ae9ff5acc4e71cb4ce792cb2e2e8ad212296672f984369748a9ddee00e94c32ffb6ac6b82298c39b7bc6916046fdb99ed6dc425a4b852230c3e59f

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
483KB

MD5
c7ec952d4254d1fab37ce2c5b944a3f2

SHA1
e6c350aaf41aa96116453d6226b2822912f0db1f

SHA256
5c6a7aed667d74274b9483a39ef1c8036286a11e292aa7b1ad38d1d50b22f326

SHA512
1a947a30a454be254a83729e43fb3cf613d465e96d0a73a059478470cf32eaa0f5d372cf08518529aea47c50dc15acc8b64948ce1bdafd49d8398811f18f3dc3

Download Submit
C:\Windows\SysWOW64\Gpnhekgl.exe

Filesize
483KB

MD5
f4c6749ec5c062b7822a03e3f7ef9c38

SHA1
c96136aa67c8967a06b51236b9de258346aa563e

SHA256
37517deeff8edf9582209bac825a1c29ffd18702f5361e78eb2d27364395634c

SHA512
36590c687e17d19321dffd329807e17c9fa973662e00499a918ce32ff76860468a1e04a6e4600c7301bf2cd03276213accf87590724e1c75bb728ab51f088abe

Download Submit
C:\Windows\SysWOW64\Hclakimb.exe

Filesize
483KB

MD5
ddd5f093151631af3b2b1c45bd950f2c

SHA1
f96ab1dca3e89f802ba56ba222fd979718ae584e

SHA256
bd485b832530ad41556f601430543ba5c3f0243b03781caf189ddbf354ef793b

SHA512
b263f444e61930d8d2fc7f31eb9c0b73e0578aa8d57a227484dabc2f41c62b1f2e2b808ff818c8b10438e3e8adbcb4bac87a1a20bf5c3cd75cd1cb785010862e

Download Submit
C:\Windows\SysWOW64\Ibccic32.exe

Filesize
483KB

MD5
470af879a3929001ce95aae0f9a87186

SHA1
213d5aca517a6a32e2a44fa5a22379a9886abe7a

SHA256
4220346282b6268869f0fb53fb1f80cf4185ab0333107c94c716781e57aa3533

SHA512
811ef13bf588e544b55821623e266beb8f89175d32d73c9f46742ef3b71cb4a4e3e891fa01e3bc4181c38eb03b142e6d8450910fc3a79d031c931dc74f863b14

Download Submit
C:\Windows\SysWOW64\Kbdmpqcb.exe

Filesize
483KB

MD5
ef7d1944cf9be21206cc46c779c623e7

SHA1
edaa452ee96c596035026149bc55a70858f6e5e9

SHA256
c8975523d5f8e50021488060c5b055ecbba420b45e444c0a78b51c9172b76432

SHA512
47a0e939f59774bc9b0ec583fdeec03b1611f15741e8ebcefe8fc960f5db36495f73973cc68d73fbf010bdea7eb216a75c69841600c8565534ae11ee86da936c

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
483KB

MD5
fe08ec98c80e040473dd4d7c77fc7000

SHA1
8494ed1fa5aa353089abf2c7b3b49a14caf2dc0e

SHA256
521560ea502ea245cee2deb4a2430ed7841841f520f279f0e6227782347e29dd

SHA512
fbe9c7d0599eac83d75ecf17bd99cecef6301519adc10f409eed55a2cf256af728c2615812cd03cd3ca21e43575c7848aa0db0f4ea3c75a92ba22be8008203cd

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
483KB

MD5
460095fd99c9ba29b74b1101de356f0d

SHA1
a779208d4c5bf1bd7bdf7c2fe3d216183074e1fb

SHA256
615020067691171e2a7f646d2c22b031edd86ca5e5ccdf273fd39439c5b76f9d

SHA512
ef8aeb3532792d9cb40b13a1cdab547ff2344d73eb2d00433e70eb3f8803d38191aa69531ab07175446c02154ab0321b9c3ed450974c153f18d0ef897eeedb53

Download Submit
memory/212-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/432-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-970-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1728-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1900-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2320-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3092-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-969-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-961-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3372-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3388-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3420-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3456-962-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3648-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4152-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4320-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-968-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4416-967-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4688-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4824-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5232-935-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5372-933-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5452-919-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5644-948-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5672-917-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5744-909-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5768-945-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5860-943-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5896-915-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5940-925-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5960-941-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6000-914-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6072-923-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6092-938-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6136-937-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads