3c595d80ada22b57a4891b87a6350a07c135c1b3479386cfae0d6c560930834c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c595d80ada22b57a4891b87a6350a07c135c1b3479386cfae0d6c560930834c.exe
Size

80KB
MD5

2205390c0e02669a09e87eafc314803d
SHA1

8f271af84199563c17dbc0f550c490c98ca60753
SHA256

3c595d80ada22b57a4891b87a6350a07c135c1b3479386cfae0d6c560930834c
SHA512

2c9232792f9cd0be82e83601c44cdc9d32ec1b49e925224017068d1c7a50f48f5197ab0e726262c86224e017b582f6fafcf486e578b9c15ae082fffa2f8fe5b9
SSDEEP

1536:9P2iFzZbA8o/NKvkNv2L/S5DUHRbPa9b6i+sIk:Yim8o1KvL/S5DSCopsIk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbenqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icjmmg32.exe

Executes dropped EXE 64 IoCs

pid	Process
1312	Ehhgfdho.exe
4460	Epopgbia.exe
1408	Ebploj32.exe
4612	Ejgdpg32.exe
4896	Ecphimfb.exe
1792	Efneehef.exe
1088	Ehlaaddj.exe
5096	Eqciba32.exe
2832	Ecbenm32.exe
5028	Efpajh32.exe
3512	Ehonfc32.exe
5000	Eqfeha32.exe
4724	Fbgbpihg.exe
868	Fjnjqfij.exe
3552	Fmmfmbhn.exe
3688	Fcgoilpj.exe
4936	Ffekegon.exe
3096	Fomonm32.exe
3668	Fcikolnh.exe
4524	Ffggkgmk.exe
3188	Fifdgblo.exe
1540	Fopldmcl.exe
3672	Fbnhphbp.exe
400	Fjepaecb.exe
4720	Fqohnp32.exe
3920	Fcnejk32.exe
5100	Fflaff32.exe
372	Fjhmgeao.exe
1148	Fqaeco32.exe
2072	Gcpapkgp.exe
224	Gfnnlffc.exe
1696	Gjjjle32.exe
2328	Gqdbiofi.exe
4168	Gcbnejem.exe
4780	Gbenqg32.exe
2548	Gjlfbd32.exe
3548	Gmkbnp32.exe
3572	Gcekkjcj.exe
1992	Gfcgge32.exe
4416	Giacca32.exe
4648	Gqikdn32.exe
4236	Gcggpj32.exe
2896	Gfedle32.exe
1908	Gjapmdid.exe
544	Gmoliohh.exe
2044	Gqkhjn32.exe
2320	Gcidfi32.exe
2292	Gfhqbe32.exe
3680	Gifmnpnl.exe
800	Hclakimb.exe
2124	Hapaemll.exe
2680	Hcnnaikp.exe
2444	Hjhfnccl.exe
1604	Hmfbjnbp.exe
1216	Hpenfjad.exe
2708	Hbckbepg.exe
4248	Himcoo32.exe
3988	Hadkpm32.exe
840	Hccglh32.exe
3912	Hjmoibog.exe
388	Hpihai32.exe
4716	Hbhdmd32.exe
2352	Hjolnb32.exe
2712	Hmmhjm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hakfehok.dll	Fjhmgeao.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Chbijmok.dll	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Jaedgjjd.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Cichoi32.dll	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Mbfppi32.dll	Fcgoilpj.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Anjekdho.dll	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Gjjjle32.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Gfcgge32.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Iidipnal.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Ehlaaddj.exe	Efneehef.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Gjapmdid.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Gmoliohh.exe	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Hpihai32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ebploj32.exe	Epopgbia.exe
File created	C:\Windows\SysWOW64\Mcplce32.dll	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Bclhoo32.dll	Jfdida32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Gagaaq32.dll	3c595d80ada22b57a4891b87a6350a07c135c1b3479386cfae0d6c560930834c.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ehlaaddj.exe	Efneehef.exe
File created	C:\Windows\SysWOW64\Fcgoilpj.exe	Fmmfmbhn.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Eqfeha32.exe	Ehonfc32.exe
File created	C:\Windows\SysWOW64\Ibooqjdb.dll	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Eeecjqkd.dll	Kdffocib.exe
File created	C:\Windows\SysWOW64\Gnbbnj32.dll	Gfhqbe32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Ginahd32.dll	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6976	6868	WerFault.exe	251

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdcbdnc.dll"	Ebploj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fihpfl32.dll"	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofqcl32.dll"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fflaff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphlemjl.dll"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhjb32.dll"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gfedle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 1312	4832	3c595d80ada22b57a4891b87a6350a07c135c1b3479386cfae0d6c560930834c.exe	84
PID 4832 wrote to memory of 1312	4832	3c595d80ada22b57a4891b87a6350a07c135c1b3479386cfae0d6c560930834c.exe	84
PID 4832 wrote to memory of 1312	4832	3c595d80ada22b57a4891b87a6350a07c135c1b3479386cfae0d6c560930834c.exe	84
PID 1312 wrote to memory of 4460	1312	Ehhgfdho.exe	85
PID 1312 wrote to memory of 4460	1312	Ehhgfdho.exe	85
PID 1312 wrote to memory of 4460	1312	Ehhgfdho.exe	85
PID 4460 wrote to memory of 1408	4460	Epopgbia.exe	86
PID 4460 wrote to memory of 1408	4460	Epopgbia.exe	86
PID 4460 wrote to memory of 1408	4460	Epopgbia.exe	86
PID 1408 wrote to memory of 4612	1408	Ebploj32.exe	87
PID 1408 wrote to memory of 4612	1408	Ebploj32.exe	87
PID 1408 wrote to memory of 4612	1408	Ebploj32.exe	87
PID 4612 wrote to memory of 4896	4612	Ejgdpg32.exe	88
PID 4612 wrote to memory of 4896	4612	Ejgdpg32.exe	88
PID 4612 wrote to memory of 4896	4612	Ejgdpg32.exe	88
PID 4896 wrote to memory of 1792	4896	Ecphimfb.exe	89
PID 4896 wrote to memory of 1792	4896	Ecphimfb.exe	89
PID 4896 wrote to memory of 1792	4896	Ecphimfb.exe	89
PID 1792 wrote to memory of 1088	1792	Efneehef.exe	90
PID 1792 wrote to memory of 1088	1792	Efneehef.exe	90
PID 1792 wrote to memory of 1088	1792	Efneehef.exe	90
PID 1088 wrote to memory of 5096	1088	Ehlaaddj.exe	91
PID 1088 wrote to memory of 5096	1088	Ehlaaddj.exe	91
PID 1088 wrote to memory of 5096	1088	Ehlaaddj.exe	91
PID 5096 wrote to memory of 2832	5096	Eqciba32.exe	92
PID 5096 wrote to memory of 2832	5096	Eqciba32.exe	92
PID 5096 wrote to memory of 2832	5096	Eqciba32.exe	92
PID 2832 wrote to memory of 5028	2832	Ecbenm32.exe	93
PID 2832 wrote to memory of 5028	2832	Ecbenm32.exe	93
PID 2832 wrote to memory of 5028	2832	Ecbenm32.exe	93
PID 5028 wrote to memory of 3512	5028	Efpajh32.exe	94
PID 5028 wrote to memory of 3512	5028	Efpajh32.exe	94
PID 5028 wrote to memory of 3512	5028	Efpajh32.exe	94
PID 3512 wrote to memory of 5000	3512	Ehonfc32.exe	95
PID 3512 wrote to memory of 5000	3512	Ehonfc32.exe	95
PID 3512 wrote to memory of 5000	3512	Ehonfc32.exe	95
PID 5000 wrote to memory of 4724	5000	Eqfeha32.exe	96
PID 5000 wrote to memory of 4724	5000	Eqfeha32.exe	96
PID 5000 wrote to memory of 4724	5000	Eqfeha32.exe	96
PID 4724 wrote to memory of 868	4724	Fbgbpihg.exe	97
PID 4724 wrote to memory of 868	4724	Fbgbpihg.exe	97
PID 4724 wrote to memory of 868	4724	Fbgbpihg.exe	97
PID 868 wrote to memory of 3552	868	Fjnjqfij.exe	98
PID 868 wrote to memory of 3552	868	Fjnjqfij.exe	98
PID 868 wrote to memory of 3552	868	Fjnjqfij.exe	98
PID 3552 wrote to memory of 3688	3552	Fmmfmbhn.exe	99
PID 3552 wrote to memory of 3688	3552	Fmmfmbhn.exe	99
PID 3552 wrote to memory of 3688	3552	Fmmfmbhn.exe	99
PID 3688 wrote to memory of 4936	3688	Fcgoilpj.exe	101
PID 3688 wrote to memory of 4936	3688	Fcgoilpj.exe	101
PID 3688 wrote to memory of 4936	3688	Fcgoilpj.exe	101
PID 4936 wrote to memory of 3096	4936	Ffekegon.exe	102
PID 4936 wrote to memory of 3096	4936	Ffekegon.exe	102
PID 4936 wrote to memory of 3096	4936	Ffekegon.exe	102
PID 3096 wrote to memory of 3668	3096	Fomonm32.exe	103
PID 3096 wrote to memory of 3668	3096	Fomonm32.exe	103
PID 3096 wrote to memory of 3668	3096	Fomonm32.exe	103
PID 3668 wrote to memory of 4524	3668	Fcikolnh.exe	104
PID 3668 wrote to memory of 4524	3668	Fcikolnh.exe	104
PID 3668 wrote to memory of 4524	3668	Fcikolnh.exe	104
PID 4524 wrote to memory of 3188	4524	Ffggkgmk.exe	105
PID 4524 wrote to memory of 3188	4524	Ffggkgmk.exe	105
PID 4524 wrote to memory of 3188	4524	Ffggkgmk.exe	105
PID 3188 wrote to memory of 1540	3188	Fifdgblo.exe	106

C:\Users\Admin\AppData\Local\Temp\3c595d80ada22b57a4891b87a6350a07c135c1b3479386cfae0d6c560930834c.exe
"C:\Users\Admin\AppData\Local\Temp\3c595d80ada22b57a4891b87a6350a07c135c1b3479386cfae0d6c560930834c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\SysWOW64\Ehhgfdho.exe
  C:\Windows\system32\Ehhgfdho.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\Epopgbia.exe
    C:\Windows\system32\Epopgbia.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\SysWOW64\Ebploj32.exe
      C:\Windows\system32\Ebploj32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
      - C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        23⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4780
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        37⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3548
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        40⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        41⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4236
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2896
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        46⤵
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        48⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:800
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        54⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1604
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        58⤵
        Executes dropped EXE
        
        PID:4248
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3988
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        60⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        64⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        65⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2200
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        67⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        68⤵
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4528
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:696
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        72⤵
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        73⤵
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        76⤵
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        78⤵
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        80⤵
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        81⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        82⤵
        Modifies registry class
        
        PID:1280
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4336
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1784
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        86⤵
        Drops file in System32 directory
        
        PID:516
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        88⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        90⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        91⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        93⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        94⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        95⤵
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        98⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        99⤵
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        100⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        101⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        102⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        103⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        104⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6060
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        109⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        110⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        111⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5316
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        114⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        118⤵
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        119⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        121⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        122⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6004
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        124⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        125⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        126⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        127⤵
        Modifies registry class
        
        PID:5340
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        128⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5540
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        131⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        132⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        133⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6116
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        137⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        138⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6012
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        140⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5744
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        144⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        145⤵
        Drops file in System32 directory
        
        PID:5872
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        147⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        148⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5244
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6156
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        150⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        152⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        153⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        154⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        155⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6464
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6508
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        159⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        160⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        161⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6740
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        163⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        164⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        165⤵
        
        PID:6868
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6868 -s 400
        166⤵
        Program crash
        
        PID:6976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6868 -ip 6868
1⤵
PID:6940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebploj32.exe

Filesize
80KB

MD5
44ce1a020792b8db0a4055711902610b

SHA1
06045080b8d7afc9307e19ac72c92df97c8d6c6f

SHA256
1fc49645ea3e518bf45d7ed4869102c1253d076cc5c49bf49a22de0002e19592

SHA512
43ff4e5e9d83becfa48e7dea1d102827d62b2aefc7abe49766c8742e22da1267e6cd0a7a4c713592dd06cb434a6d94abf1bea647e950f06fdd68fef750f2ddc9

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
80KB

MD5
c6f4e0301ee075040f9fdf4605753e20

SHA1
9d8ca19707d50e1b488292eb7453f6922178bb08

SHA256
4d8e44aa7bd5392440fde4608bc694d8592afe5a8a813e922631cdb02c267120

SHA512
721bc35df2b569e8f507cc3dc64ea10678876c4a3d4b1aeae40ded96e3312b532962176ab48befce07021c9f1789b4d5049ac9665c3cf91d629c91844fe4ae2d

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
80KB

MD5
cdf8e18420953de400f60ba49669189d

SHA1
fffc430ffa43b3f89be55e9ed1f9bd45b08852be

SHA256
27c6fafa02b1c2234001f79544a697df7a3f379f7503f5a79fdcda9ace7b0c6a

SHA512
292fecc2d66077bef1732678de86150fa5898fe89362361f828a50dd0f0ea962b17f59c01b22d1b10ed09cbe930da88a5298e085fd3e30b9f0e3a7e4efff62ac

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
80KB

MD5
0dbeec8d9510a22898f440e75c66c1a0

SHA1
3b6c8c0457482dd1db6687a1cc137c92476ec6bc

SHA256
a8e72365b6d0b7413677a54e339fde9efd7af799b81b04b6465d619666348f7e

SHA512
b9b88847105ec5b4be31e7fa8da377e9118407436402469c85cf07b9e8ba7d8c24b0e722c012e8b609329e14932bbaf9da38e56f6288360593b993da7dd59293

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
80KB

MD5
a77415f3e7ce720621372cb1f7691b19

SHA1
d94460f6b0907b3034d46be1e8577ce925f76499

SHA256
304b3bfb4e2a23ef27cf7c1ac97610980931bc70cc6bb140942695753afd2d89

SHA512
54525ab756bc59cfb8f59be5faf7d624e0e96d9680bf10749e3a66b9446122848e2972e51ec0072842b7feaa54b2dc7301494d6229cbdae1d45e30d5862e05d8

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
80KB

MD5
5f09018ee78caab63cd60f0c49e84488

SHA1
cd2d19bc5f37e5b038e8bf8173eb3784562a7ac3

SHA256
647100981ebf9f49a1bd19188cd3f4938829a74e997f423f4937636755c7d4f4

SHA512
bd7e2a30b043269b2da05efae89b4f8babaadbedfc18727de30133f143cec712c1862145641d4c37f27b6ab8399a527d42c0672f240088981eb27c8c29faa95e

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
80KB

MD5
bc022b33bba160cb8bd8c6bbc5bfca60

SHA1
0a8e27c7ee9c9c7e0d269aa86a8c0848b72c41c9

SHA256
5c641f1d4fca51e8d9b388957c4866768c68066a951c6304d3f386d0970d2c4d

SHA512
2d9c761fa351c8b6810e81b0748b98a00d62bcbd8d540f035891b3f220985bcc29b93623ab0003f90198a43248af31388fefbe1f85eecbe5899f9d9472e02187

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
80KB

MD5
9d872ba9c523c5a88e2372132db7380e

SHA1
d48e767511fd6334c5cffea8335d01f31ee50747

SHA256
4dbe6bdcbb9f38b2d75e2c98424809a89be39f5db3458de8c44e90a65af58563

SHA512
36677ba794bf2ae7f61ec6bcc6851533f944b6e18217a86b1fb15972381d97ff9511bdc42260c49519329cce5095d5be3d645d6504a07c3b5b8edab7ef12c85e

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
80KB

MD5
87a309676c964c544941ac5d4c832fdd

SHA1
241cb38a195a6aba8b457a3272da684cf9e395eb

SHA256
010f54274172bb76a02c3742e5823a89e99be178d167fbcd588a9d1884fb1cb4

SHA512
f098d988b1fd2e4a9fcad625f7c290193050a9b79b55bd73dcb71cbc036e190e6b8dde49c9d360a4530ecdc2d6256bf2c20a283872b2c2ba299229c4a83c8586

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
80KB

MD5
b3379bc6187a43694d0686d90492564a

SHA1
8d0542dc5a67598e1530faed073e5970f38d5a01

SHA256
a6f0dee029652fdae13aeff940c27c1d63d8b9918091941d470513af7cdae35c

SHA512
1b94fedf47bad2ce632ecaab0e29231ac27598d52fa041c21e73a75fbef00cef293b834a9bc9d67247d9a79cb0d8a0d0ba40e547fda60edacec41e6f3f12d6c5

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
80KB

MD5
132bb1a495174e35b42bd2445e18de33

SHA1
0b8714f3d398bd6ff9ea775ca4f1617a14125f8c

SHA256
eba73d7253f56e03099513804742c481d03252401ab094ec8543b48846baf0e4

SHA512
f1313824b6c503ed7cbb9df3da9bb1c0e5befdb488837cb24542275d9d6a85e4a91fd5424724b69859746defd54bb9f241cde68c052c375a490803d8d5aa6ff3

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
80KB

MD5
e58294d49f5761b32d5306cee4bbfd4a

SHA1
58f2af3b1d95eedef6e515ef192fe6a07826f828

SHA256
899cd6a89b7ac7992f2fcd84eec5545abc4dedb563bbda7d26abadb3d9294cee

SHA512
3977aac9ef3aaed41b55a9d24b4d0945940fedec6cf72e6ebcb6154c0b5ae4e3fa2d0c2aa6d93ad3dc48781179d29219c5ab2508570817fdfecea2027c3fd447

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
80KB

MD5
95a0ab07257f461bd518c71e57cf303e

SHA1
431f357a9a92def57d953f47619468dcd8e56785

SHA256
4f6f0089497a8896d7ab2163276544408873fd87dc28f4b46e455e4ee0818d48

SHA512
174ba6d575f1a7f5fa347c925c324c0289567db7490d7edd4d7435c0ad17969f1b4d29be87135a0714633fc450618e7561b6c3d4a5b6577cf5eee31b319fa717

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
80KB

MD5
d30c70ccc7a88ef213b4081a905673a5

SHA1
289a02cc1fb59cbcf5e2d47c14cf16612f64f7e4

SHA256
bf97349675ec37e446dc08076681589a4764e6f6b2a6ef892af38ae54b97cf67

SHA512
dd0cbc3fafbc61f9a0f8f55af5a740335d710f5e89109c955629eaee002d5b7f8a405c1dfa3e397c52150115544a340e4b50bde8f93923b00d9dbb741cfa1218

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
80KB

MD5
24634f46d928060f6e8c96f240f7a003

SHA1
51c419ceeccdf5dafe4fea7219f0a6f598f0cba9

SHA256
3dee0240f00779c50133b0ad6820b84d68942ce4e40f74ec7bf3bda06b818cb4

SHA512
daa23a029802a31912de7cf5fbb0d667ed8bc78f2d91aace4d84929f98821f465782462aea7acd2fad346afc93c3bdeac4d54fb23055b15806f0bbc4b2e6047e

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
80KB

MD5
fd33ea259d2ed89ee79730ff6ee45573

SHA1
b6e766a171fa252fdf1f1bf2ecb71f1a535a0067

SHA256
e5f7fa733c4e40356aeb914df91b50eab9eddebf5703bb0fb4a0dfe9fa2294c2

SHA512
642eec14332ac1c1a04ea9ad577434998cc41d8b9da21628ce15c08590f09d4fb8d859323ee26231fca7635107ea14dff7190e2bb9c49b39c6608127647268e0

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
80KB

MD5
21fa05a7d26a53530dffaa5d092d6160

SHA1
5298a461ca886ab29f974b021e303a4edf8bc808

SHA256
41bdbffddfef75f0941ee6be01c6a6a64f36924320def17df3083e9c7a8621f1

SHA512
715feaacff7bd1fd13a9c14a7441bea5895714e362ff2f779cf90a5f047bab53800da2a2f492af1a67b7bd437c7e196350fd5eeb83d53e70ee478056f1f48e96

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
80KB

MD5
1340217373bb7e235916f7291a901e40

SHA1
a9143eb32cbf6149f0715439cb5307ad95ee628e

SHA256
7252a00574466573b27ad2cfc7f50443ef40079804707fbc4d5a25a7714cbfa3

SHA512
4d0e86a53e6d8d85aa99fd0adb436654e6b73d7b8666e20783ecbc91dd758fff6fd15b02be4048ff74b0d2225d55f428f4772bbe92a25ffcd6a5916cdda5aa5c

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
80KB

MD5
d6c864a01c5c0540f5e01f2549b901af

SHA1
610ec52253da3b045936f9937ac9743cae358352

SHA256
f5d8aa6f25254d51b62359665889b905ba789db4844f71409b64175ccd6b09ce

SHA512
4ade0e6ba261339ded74f731f8e77b86b70bff4f1ad99408e6611d17018fc8e103d89788e9678f00e9c144fc232f5bf1907349a8032e784309b6c58f4a4890be

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
80KB

MD5
336834e6452a720bdf02c67717a00e28

SHA1
3e0f322ba0ebdcfb29add9b6bd72a8359aaf8ad8

SHA256
d5fea56c12d37d826f2f9de5ef8047eeb5ce8ac38b8bf7d97e2457c8f3ccf06f

SHA512
2f89138722357b7e3e77917956e59b2c6a0ae806eacc25f675d07261c67c48ec04b3da8501ce9f2ed987dec72385bf1d2e3770449945ab5dac70ea376767cf0b

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
80KB

MD5
691c91728c8d0f86ca3a1d0e9b74e546

SHA1
75ce1c5497c51c3150de57a9131da0a56376669a

SHA256
cf1de5bf73df9a94b0516f3ce554a0ec2b31c6fcf71f20dad45ae3cc33f75681

SHA512
0a2ea5d587d015e6324c8389a7576a773dfe630317ba2dc8c01f8be86a4b33f05919bb175d5c6b4bcda4d650ea8fec5a77e79c5aca81183ade561283f985765f

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
80KB

MD5
e6a15d0a7b4b062c7ce9acffa90c9fe9

SHA1
83eef2b0299fed75257a5719b86da9a14f32c971

SHA256
18cf53bce27532eb398ac0376f7cd938dbad81561bc60a12a0e9ee4086ba8d96

SHA512
cfc821496fb497cbe8f7be5315cccc7b4a7c504cf58edfa4e9942f5fd577ec6bf8b9eb1dd8d136dc9695eb019e3d2ba322fe19194b388963c189deaad63f9eb6

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
80KB

MD5
c4930d3087960825ecc1723f3a08b4e4

SHA1
af7f01dfe11dcec2752b9ce9672ec9da9487c978

SHA256
2f8d79b2f4bbe94bf7fc099569b77543f51690941918de8843f02474b340e24d

SHA512
242a95fa20fa5bcb5bfebd92394ab2f500ac001e714d623e92241b16a8a6822461cb96d1d1b8ec9de96eb94b738b4bd98ebc5cca379eb9c29916f33b4b33545b

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
80KB

MD5
7238c10a83ade8ff3e43812970bda197

SHA1
10f683eec1b743b5fff34196ed597d6355c20d7b

SHA256
e852b0636bc30597141725eb471076ea776c99a5e44baf57ba7720cb7e6f431d

SHA512
1e7249cf8ae3e953dd3650d0f1ef8681f273318cb2c7086d9c8861214c703b271e67292bf14b0e1b6d1b4cbae2047c369774e2ba9221138b200dddaf23c5467a

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
80KB

MD5
4ab4232f5cc9ad0bcba112f027f38e51

SHA1
ed00bc95861cfd010d6fb50fd55cc2dd3da3eb2f

SHA256
ad0603d84d1a5912ea8c3a5588d422728588caebc5c3e5ff9414910e567b2d80

SHA512
4bd0ec0bca4f7de1a7b8ac733605c74a26cbf3752c911d881ea920f2bb27a3062aa97c7a05041871ee4d3658fa8c32a4577a68ee83b7a936ee7625c2d44b8195

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
80KB

MD5
fef28b2ceb4a1ca534ccd12bde2e9a1c

SHA1
e041a31f5e23a46d2f8cf2b26565e5dbaf25a4ba

SHA256
0ff554b05e76971a7e4ef1308dc35e8c7ec68d971b5f618e4f381bb855771f71

SHA512
f07b2ff8790285af3dc6c3483ea68d64f4bc8838157e136b185dfce74a8a1790c1b2c31d90ff912e79a0ed57be6b3918f966f3fd2365c8657c96b8fd6940e7de

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
80KB

MD5
8237cb8a8c131f417443f22f701725f5

SHA1
126b3cbae7189639f7287386dc34b4dbceadb273

SHA256
7456169a200db3c69f010fde234f7798e4a14a9781bb2dd2eb333ac0c2a243ae

SHA512
62bc8f72a024c726ab03a0394424b8cc366c1e46a1a40ce8c8fc7ad34bcbcf0a02dec8f1de97ba1a13522596893e94e5b82497ec35e63164c77886dbbd257819

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
80KB

MD5
e0801608eadc7178481b48e5ac5dd6ab

SHA1
c24aa031a63e5934525f1508d0f0e365b3540c57

SHA256
6989d28ff14404595fa36e5a3476730f31ef5ecd139bc06ed83dec1af40c4246

SHA512
bdf82b2ff95967642595e07380f95943b4c36d4d307916521b346d6a2274c61ff4080e94cf95681d41a0d45842999ff8022a8ff87d60055124004d0c318f9c0a

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
80KB

MD5
a92417109d430adcd87a5ca6914e0370

SHA1
2ec7d45af4c0738de0ac8a6420261dd5f73afd72

SHA256
d565e26103f2bb773769d33c261930466a2716f2fb37d320b80e393b19fbdcbd

SHA512
acc54ee010649f1ae818ce173ba9a11706b12f888dc1ead09323dc0e62626f21ef8e97694cf9299dc7d8fa8c40f87786bdc768be787ffd0207778f8bfbe90c4c

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
80KB

MD5
a118c89360521177212b5b5cb3611ca8

SHA1
da583f90fffc0713e75e83b367076595b4d516bd

SHA256
f66e45ecd9453337dc7c6546ef0f53d5790d30f4bd7051fd3d87962ccc87ffd3

SHA512
90b0de43015e68f183055f513ac5f5d6c403e973d62570bd6069c3c114f3143df5d0e824d51972ddd52aa2294e0f1d1491e40cdd93feb856216f106a3594e8a5

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
80KB

MD5
fe21fb02ca114f013146f788b60b4dd4

SHA1
76ab5b65af12237d4112df665e30b454b7db3ddb

SHA256
fab354d1da287acd38c582299cb7bda8210814263ebfd72035b569d5b99cc6f1

SHA512
71959821d5b4cc19f8512cf0994e74e784b2b2ee960dd27de8f5791980d4c8aef7c2256faece1e3eb19aafc9446a5a77479ab821e636752bfb105cefec5c16c8

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
80KB

MD5
de0daf8fa498d17b046cf20d6e8257c6

SHA1
0c4c857abe060061cde928e6b96c1d80ac820e50

SHA256
a5877f4a3d51ed0af2c3c01f551f0142919047dac2e01f9ea9f0d8cbe5b96046

SHA512
323a8f0ce4d46f4ac0beb3cbbac2b4d1806aa12f6bcf56818ee02900b2e75f2e09c8c5c055bb5fd8d540ad78c118d601f714a1c61a3648bf4c9833348bf18cc1

Download Submit
C:\Windows\SysWOW64\Hbckbepg.exe

Filesize
80KB

MD5
a0c3c2f27aed8a7ee032f2d245823dcd

SHA1
08364c9bcf9acdd5e1a80e0f359b741b44fa3394

SHA256
f88e972b40f74812978fa7193076320fbcd0e9de15d9ebc3caefd676f5647df8

SHA512
e6a654f0c15aaa886fbb39b23f044df0f969230fe811a315c4d9425acf214a4645a4339229f54d389ccd9a136281cb776199818a57f4cdc691e76e70f0eff519

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
80KB

MD5
c66dc056bdb326f9b18178287a7c64e9

SHA1
eae0fc9aa8ae173130fa4e37133a97bd71aa1502

SHA256
c0161fd692a9174b0847587e70c988aaed1511b73c8d5d2e59d981900974994e

SHA512
f44338a17bf039dd8f4c1784b80a8cee31f1a37fce69a15166864380e4c10e366980b77be25d141b41f569aa71ffb4233095fe136d2eba00fec43f10bbe73437

Download Submit
C:\Windows\SysWOW64\Ijaida32.exe

Filesize
80KB

MD5
8da9ec6c22f65b506e4ecdd4cc55e91d

SHA1
4444d8d7bf0b2e8dcab4cb1f29614155b0b456ad

SHA256
f6fa541841b2077771366a38348afb56130407d966a344f74b98ff5231626480

SHA512
34b1720f2b1a195a862168d4581bf2146ef2f93d5fdea7db0ca31027f1be54121f634419716e2055aa260ef15e2de9aa9d9225ca67cddb08d50f687c2b487a94

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
80KB

MD5
24756e5eb6c3ee5c7d174b192e010890

SHA1
cc2179c83887f11afd60d46984924ed86f6a0a28

SHA256
cd03a3ac6a02872dd0bb83fc583f3aee7a58fd58926e51601eeb5bee482bb843

SHA512
b9e7be097a52d5b989453e6fbe66f15f31422ef193ef0bcad7187738d7411b5b0ad5ca837cceafe20cf188e71478a969c8242919317ee1052594febdf69a54a5

Download Submit
memory/224-254-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/372-226-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/388-432-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-198-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/544-336-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/800-366-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/840-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-114-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1088-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1148-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1216-396-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1408-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1540-182-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1604-390-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1792-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1908-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1992-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-242-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2292-354-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2320-348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2444-384-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2680-381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2708-405-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2896-324-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3096-146-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3188-170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3512-94-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3548-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3552-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3572-294-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3668-154-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3672-186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3680-360-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3688-130-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3912-426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3920-210-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3988-414-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4168-274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4236-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4248-408-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-306-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4524-162-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4612-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4648-312-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4720-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4724-110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4780-276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4896-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4936-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-102-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5096-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5100-222-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads