8d48a60ba9bab1e61632347d1beaf402bde3b77ccba414a36bc996c1fc840be6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d48a60ba9bab1e61632347d1beaf402bde3b77ccba414a36bc996c1fc840be6.exe
Size

80KB
MD5

9fbb12259d5a5e13f7f8665d6d305df0
SHA1

91f5a73b85c0be06b99b1e414ebb9a5e394372ad
SHA256

8d48a60ba9bab1e61632347d1beaf402bde3b77ccba414a36bc996c1fc840be6
SHA512

387479ab6cb43988ac132f280c41a18ee7e06065e7dfcc7182aefb97ee490c9e8659904c8713bd43f108cfabe2b3682134d0179a14f5aa283e9e888c98044c3a
SSDEEP

1536:Jvp42AGL5eDeQyN3pPmYfjZ0fHe/SVkaQy5M8cLkKFFeJuqnhCN:ZJfeDeQU3pPmY7ZAHW0Qyu7LkWFeJLCN

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eckonn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eodlho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiphkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfffjqdf.exe

Executes dropped EXE 64 IoCs

pid	Process
3620	Efgodj32.exe
1452	Ehekqe32.exe
2012	Elagacbk.exe
2108	Eckonn32.exe
4400	Efikji32.exe
4956	Ehhgfdho.exe
2796	Elccfc32.exe
1408	Ecmlcmhe.exe
4532	Eflhoigi.exe
2396	Ehjdldfl.exe
4584	Eqalmafo.exe
4432	Eodlho32.exe
184	Efneehef.exe
4916	Ehlaaddj.exe
3500	Eqciba32.exe
4104	Ecbenm32.exe
4572	Efpajh32.exe
2036	Ehonfc32.exe
4836	Eqfeha32.exe
1560	Eoifcnid.exe
3240	Fbgbpihg.exe
2660	Fjnjqfij.exe
1832	Fokbim32.exe
1192	Fcgoilpj.exe
868	Ficgacna.exe
1740	Fqkocpod.exe
1328	Fcikolnh.exe
4264	Ffggkgmk.exe
764	Fifdgblo.exe
3832	Fqmlhpla.exe
3236	Fbnhphbp.exe
3432	Ffjdqg32.exe
3268	Fihqmb32.exe
4388	Fqohnp32.exe
1600	Fcnejk32.exe
2500	Fbqefhpm.exe
3956	Fjhmgeao.exe
2460	Fijmbb32.exe
3200	Fqaeco32.exe
1368	Fodeolof.exe
5072	Gcpapkgp.exe
4772	Gfnnlffc.exe
3920	Gimjhafg.exe
1196	Gmhfhp32.exe
4924	Gogbdl32.exe
2352	Gcbnejem.exe
1708	Gfqjafdq.exe
2292	Giofnacd.exe
1592	Gqfooodg.exe
2848	Goiojk32.exe
3776	Gfcgge32.exe
848	Gjocgdkg.exe
1944	Gmmocpjk.exe
4812	Gqikdn32.exe
3744	Gpklpkio.exe
1340	Gbjhlfhb.exe
2388	Gjapmdid.exe
3192	Gmoliohh.exe
2640	Gqkhjn32.exe
3328	Gcidfi32.exe
3264	Gjclbc32.exe
1920	Gifmnpnl.exe
2624	Gameonno.exe
60	Gppekj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fifdgblo.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fjhmgeao.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Eqfeha32.exe
File opened for modification	C:\Windows\SysWOW64\Goiojk32.exe	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Elagacbk.exe	Ehekqe32.exe
File created	C:\Windows\SysWOW64\Ehlaaddj.exe	Efneehef.exe
File created	C:\Windows\SysWOW64\Nkbkiioa.dll	Efneehef.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Gjclbc32.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Fbgbpihg.exe	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Iffmccbi.exe
File opened for modification	C:\Windows\SysWOW64\Iakaql32.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Iabgaklg.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Klfbpcko.dll	Eodlho32.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Fihqmb32.exe
File created	C:\Windows\SysWOW64\Hihicplj.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Jmnaakne.exe	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ehonfc32.exe	Efpajh32.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fbnhphbp.exe
File opened for modification	C:\Windows\SysWOW64\Gjocgdkg.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Cdcbljie.dll	Ijdeiaio.exe
File opened for modification	C:\Windows\SysWOW64\Ifmcdblq.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Fokbim32.exe	Fjnjqfij.exe
File created	C:\Windows\SysWOW64\Fifdgblo.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Ggdddife.dll	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Hihicplj.exe	Hfjmgdlf.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Icljbg32.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Hfkkgo32.dll	Ibccic32.exe
File created	C:\Windows\SysWOW64\Pglanoaq.dll	Iakaql32.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6764	6340	WerFault.exe	278

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fqaeco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honcnp32.dll"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobgoedj.dll"	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocdehlgh.dll"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adakia32.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkcdljbo.dll"	Efpajh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjbmnlq.dll"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	8d48a60ba9bab1e61632347d1beaf402bde3b77ccba414a36bc996c1fc840be6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcepmcb.dll"	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Iffmccbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncfca32.dll"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmona32.dll"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihjpn32.dll"	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efikji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofddb32.dll"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impoan32.dll"	Imgkql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqciba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcioj32.dll"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hjolnb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 3620	4708	8d48a60ba9bab1e61632347d1beaf402bde3b77ccba414a36bc996c1fc840be6.exe	85
PID 4708 wrote to memory of 3620	4708	8d48a60ba9bab1e61632347d1beaf402bde3b77ccba414a36bc996c1fc840be6.exe	85
PID 4708 wrote to memory of 3620	4708	8d48a60ba9bab1e61632347d1beaf402bde3b77ccba414a36bc996c1fc840be6.exe	85
PID 3620 wrote to memory of 1452	3620	Efgodj32.exe	86
PID 3620 wrote to memory of 1452	3620	Efgodj32.exe	86
PID 3620 wrote to memory of 1452	3620	Efgodj32.exe	86
PID 1452 wrote to memory of 2012	1452	Ehekqe32.exe	87
PID 1452 wrote to memory of 2012	1452	Ehekqe32.exe	87
PID 1452 wrote to memory of 2012	1452	Ehekqe32.exe	87
PID 2012 wrote to memory of 2108	2012	Elagacbk.exe	88
PID 2012 wrote to memory of 2108	2012	Elagacbk.exe	88
PID 2012 wrote to memory of 2108	2012	Elagacbk.exe	88
PID 2108 wrote to memory of 4400	2108	Eckonn32.exe	89
PID 2108 wrote to memory of 4400	2108	Eckonn32.exe	89
PID 2108 wrote to memory of 4400	2108	Eckonn32.exe	89
PID 4400 wrote to memory of 4956	4400	Efikji32.exe	90
PID 4400 wrote to memory of 4956	4400	Efikji32.exe	90
PID 4400 wrote to memory of 4956	4400	Efikji32.exe	90
PID 4956 wrote to memory of 2796	4956	Ehhgfdho.exe	91
PID 4956 wrote to memory of 2796	4956	Ehhgfdho.exe	91
PID 4956 wrote to memory of 2796	4956	Ehhgfdho.exe	91
PID 2796 wrote to memory of 1408	2796	Elccfc32.exe	92
PID 2796 wrote to memory of 1408	2796	Elccfc32.exe	92
PID 2796 wrote to memory of 1408	2796	Elccfc32.exe	92
PID 1408 wrote to memory of 4532	1408	Ecmlcmhe.exe	93
PID 1408 wrote to memory of 4532	1408	Ecmlcmhe.exe	93
PID 1408 wrote to memory of 4532	1408	Ecmlcmhe.exe	93
PID 4532 wrote to memory of 2396	4532	Eflhoigi.exe	94
PID 4532 wrote to memory of 2396	4532	Eflhoigi.exe	94
PID 4532 wrote to memory of 2396	4532	Eflhoigi.exe	94
PID 2396 wrote to memory of 4584	2396	Ehjdldfl.exe	95
PID 2396 wrote to memory of 4584	2396	Ehjdldfl.exe	95
PID 2396 wrote to memory of 4584	2396	Ehjdldfl.exe	95
PID 4584 wrote to memory of 4432	4584	Eqalmafo.exe	96
PID 4584 wrote to memory of 4432	4584	Eqalmafo.exe	96
PID 4584 wrote to memory of 4432	4584	Eqalmafo.exe	96
PID 4432 wrote to memory of 184	4432	Eodlho32.exe	97
PID 4432 wrote to memory of 184	4432	Eodlho32.exe	97
PID 4432 wrote to memory of 184	4432	Eodlho32.exe	97
PID 184 wrote to memory of 4916	184	Efneehef.exe	98
PID 184 wrote to memory of 4916	184	Efneehef.exe	98
PID 184 wrote to memory of 4916	184	Efneehef.exe	98
PID 4916 wrote to memory of 3500	4916	Ehlaaddj.exe	99
PID 4916 wrote to memory of 3500	4916	Ehlaaddj.exe	99
PID 4916 wrote to memory of 3500	4916	Ehlaaddj.exe	99
PID 3500 wrote to memory of 4104	3500	Eqciba32.exe	100
PID 3500 wrote to memory of 4104	3500	Eqciba32.exe	100
PID 3500 wrote to memory of 4104	3500	Eqciba32.exe	100
PID 4104 wrote to memory of 4572	4104	Ecbenm32.exe	101
PID 4104 wrote to memory of 4572	4104	Ecbenm32.exe	101
PID 4104 wrote to memory of 4572	4104	Ecbenm32.exe	101
PID 4572 wrote to memory of 2036	4572	Efpajh32.exe	102
PID 4572 wrote to memory of 2036	4572	Efpajh32.exe	102
PID 4572 wrote to memory of 2036	4572	Efpajh32.exe	102
PID 2036 wrote to memory of 4836	2036	Ehonfc32.exe	103
PID 2036 wrote to memory of 4836	2036	Ehonfc32.exe	103
PID 2036 wrote to memory of 4836	2036	Ehonfc32.exe	103
PID 4836 wrote to memory of 1560	4836	Eqfeha32.exe	105
PID 4836 wrote to memory of 1560	4836	Eqfeha32.exe	105
PID 4836 wrote to memory of 1560	4836	Eqfeha32.exe	105
PID 1560 wrote to memory of 3240	1560	Eoifcnid.exe	106
PID 1560 wrote to memory of 3240	1560	Eoifcnid.exe	106
PID 1560 wrote to memory of 3240	1560	Eoifcnid.exe	106
PID 3240 wrote to memory of 2660	3240	Fbgbpihg.exe	107

C:\Users\Admin\AppData\Local\Temp\8d48a60ba9bab1e61632347d1beaf402bde3b77ccba414a36bc996c1fc840be6.exe
"C:\Users\Admin\AppData\Local\Temp\8d48a60ba9bab1e61632347d1beaf402bde3b77ccba414a36bc996c1fc840be6.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\SysWOW64\Efgodj32.exe
  C:\Windows\system32\Efgodj32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\SysWOW64\Ehekqe32.exe
    C:\Windows\system32\Ehekqe32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\SysWOW64\Elagacbk.exe
      C:\Windows\system32\Elagacbk.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:184
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        24⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        27⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        28⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        33⤵
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4388
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        36⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        37⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3200
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        41⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        42⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3920
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        45⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        46⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        47⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        48⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3776
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3744
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        57⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        59⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        60⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        62⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        64⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4152
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        68⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        69⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1216
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4644
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        74⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        75⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        76⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4648
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        78⤵
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        79⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        80⤵
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:368
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5156
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        84⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        85⤵
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        87⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        89⤵
        Drops file in System32 directory
        
        PID:5452
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        90⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        92⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        93⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5732
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        97⤵
        Drops file in System32 directory
        
        PID:5820
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        98⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5928
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5968
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        101⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        103⤵
        Drops file in System32 directory
        
        PID:6116
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        104⤵
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        105⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5228
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        107⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        111⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5672
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        113⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5812
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        115⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6040
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        119⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        120⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        121⤵
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        122⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        123⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5756
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        125⤵
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        127⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5444
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5616
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        132⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        133⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        135⤵
        Drops file in System32 directory
        
        PID:5712
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        136⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        137⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        138⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        140⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5980
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        142⤵
        Drops file in System32 directory
        
        PID:6192
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        143⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        144⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        145⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        147⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6456
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        149⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        152⤵
        Modifies registry class
        
        PID:6628
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        153⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6704
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        156⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        157⤵
        Modifies registry class
        
        PID:6832
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        158⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6928
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6968
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        161⤵
        Drops file in System32 directory
        
        PID:7008
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7048
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        164⤵
        Modifies registry class
        
        PID:7132
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        165⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        166⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        167⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        168⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        169⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        170⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        171⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        172⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        173⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        174⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        176⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        178⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        179⤵
        Modifies registry class
        
        PID:7096
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        180⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6228
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        184⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        185⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        186⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6904
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        189⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6176
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        191⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 416
        192⤵
        Program crash
        
        PID:6764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6340 -ip 6340
1⤵
PID:6608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cniohj32.dll

Filesize
7KB

MD5
5df81e3211f1e4d8704fed3d1852be09

SHA1
1836bdd0dc29265367826efcff742060314f5c7b

SHA256
aef77cbfb1d0d639921d62fcc5be58d9f6207bb37708eeb08023b746406fe4e4

SHA512
4aa917cdf7f188eace45cc033677726b14e4e5bce8c1061ac614df14b062c448fdcddbae5ec19088d25adebf8b9fd80308e103f9fa08d39ee042d9e04633ceae

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
80KB

MD5
4465988d26c609ac2dd7374548e1f5e4

SHA1
fe1dcb02147f75696baf721d1a18f4d3833b623a

SHA256
19b3e536bacfabaf21844120d226aacdff23a6515a8a66d0d7cf12fcec747c80

SHA512
6b9736e0fe48918929afe840365352b708329911d3f66c38fde3d4d2e9ce0e1384e3fcf4f33e2d773029286420e7f2d6dd8858278f4a6f2c1639e390e1f9491d

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
80KB

MD5
df419d7bfdc79d25dabd4726664a84bf

SHA1
643f00a02aba5b2be27ae46c63b30c33e4579c99

SHA256
c6e41dac212d0fd6c3b8d4f3a73c7322ef120e2b6829e9f2e9ebeed09bbb69fe

SHA512
dc351e615edfe56899764c1e29d348089654d88a7b995ef2147777c5fe9a2398b37737bd416b98583dff68bcfeb2f0dcea10e244e5b5a56b4239adb3e4cf5339

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
80KB

MD5
73704eb39f42ed0918ff9ab2e1b8d29f

SHA1
304ba2d275c4b84e17dc7961b65039425e686b1a

SHA256
27dd64df85bed720769e5de2cc1b4215563aa197baeb9e0b9f8d104e23db2e64

SHA512
4bfcb387bb7b1615815a4c5aed548db35b2c223d380ee9d67f986b6d11098af8cbe0e171535436ca99f72e31c0c0314e639996267466db6d457f8c484a3ec411

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
80KB

MD5
c209b43c738f983c936f8e5424026234

SHA1
82ea23d376860f8b842d4a49ffcec7c74bf16ce5

SHA256
bf09ead2de8b89d4bfc0ba9556e07efbd26bec1ad35a38080f8f442388260c4f

SHA512
656ba7f7a88772ed7f32cca14b98f0a7ce6278a0f3ff057e151fa8775e5f7875ac68c6004eb66c28a10e12aa428d61f1a4f7db5f30ae219b6f0634f1f5e01745

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
80KB

MD5
0d571a548f3b2f3b64f1b324b623e482

SHA1
a270a04e2762c186bb9f2859644961195edf0d07

SHA256
df099708fe37173b941b67b79ed53f15a50c9e4aa4f7c00baea1d74f41d7bbf1

SHA512
6e865c150b9a86b6bf740e842f726ac0341b4e2b96c2575388640fdc1d53e1e184203067e1ea71af84fbdec032d72377c1f82172db0193b096557e835226af42

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
80KB

MD5
3c6fde49845ab2159a9caca1651fa138

SHA1
c8ed35bdfedf8e9df17fe9d92913b723a54a283a

SHA256
56cf6828993fe1a20d89f225cc1adc6ebb6998f9db6bdf73d7238c0120953a06

SHA512
761e830125b7d73544b633349dbc9f819da5a1806bc5d0f1b259cb0b78b01d786b4c690b62b0dc251665c8dd542e2ed6e5791645c333ba4d12bd6b1b77e124f2

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
80KB

MD5
53210d7cb59a9296712ae96e462e1c17

SHA1
b3d0abe2e5344814dd5479e9dd6c4c00d5c053b9

SHA256
b14b1668eaa579d924c36dafb73c611fa399514be03662b4a0183f2e8ba9740c

SHA512
6acaba555f8c0f277555160a767e6528efccee35c7be96ed590245b1b527abd814f42bbcbbb9c2376509c6f536f4487989df7d503bbdd246d4f1d414603c3448

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
80KB

MD5
fa8f04adedf7e17e5b3619089bc79243

SHA1
cb663e2326615ac0917df517117d11acbaa4af1e

SHA256
9e816b7edf848a4bea4f9735531dcb505249e882f9bb30d1a4eeeee20dd5d1e9

SHA512
73d6c57e89b132139313b0112d5f670d65736798a2262a1d427f86c60c28b053ffcad69b9b7922bbf0924ce4a9a76a3c3586b35e5ccc4ace038be0c9b70f891f

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
80KB

MD5
5e4d985edb6da2877c6731b36a96a070

SHA1
69505c6168b4728e0aee519d83af2855d2b9ad72

SHA256
4b029f053f29e5b8ea80fc790883b938e5236ba636f3f33af830183f4db93b55

SHA512
babb4629dc0963ed9cf0e0e6774add4b2786812f069fcdbf6dd600d05ea5bd20313701fafabcbd8831a16e25a2175ad6116e8fca618396de856fd2a6f622afbf

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
80KB

MD5
62588905779dd20f99510e5c2528e9a4

SHA1
182bb345a32c83f43e68a0573f2c1b1fb0b427fd

SHA256
dd0324bf5cc94d59eb04bdeaa66814ab428f0ec2dd4f32b5037edea84d3e8f96

SHA512
6ad5935b7b9c197500b9cefea9ecba162b627ce1018d311056b85959cbf03eb82fb680840be1b0ad283483a4833f493a0f6fdb54cd6b12aac2ecc77ff3f19334

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
80KB

MD5
f0dc88b9524b7e095c121da4d8eaf8af

SHA1
11c5b70e4d5f742d519d42c931fd52ebc70b79ba

SHA256
e0ffaf17238db2648f804e0e665eeaca829f4de31a815f9e48ea1bd67bec6a15

SHA512
795eb82bbe27c60b92c16f21cefd1da5fdb05cdfbe0f41602a654196f30a18cb267d29ac7c81dd7dc2856c2a2265dc175a9d3f2767bd211c3fef4d187e42427a

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
80KB

MD5
0b48053edb26c4efac16da7210b54db0

SHA1
76641cd5bd3f6dd9fdde5858d41f40ecbab86f01

SHA256
7bb13881d6218248f06676c3f8bccb9e74294b953c6cecfd58040a990d0030f2

SHA512
eb77a87e19b06423d756d3b50057b8b2a43d14396dee6f2615723a0d06f7148d8373093c8460358077e26658ceceb9bcea530752b55ed4ecea2103c917d68423

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
80KB

MD5
49f7d1067c905be5b4a6efe722fcd257

SHA1
e4addaf554cfc36b851cf06ebc115f39d35e06d3

SHA256
33a63e41371a00b17c773d13ff7c6c2b93dcd9ec142086a81af1d962fb6b75c5

SHA512
a5b35f746b585d27a03b585abaa4b4b2784163bebb7c0b7b4a797394be064cae20c0b0fdf419711eeb978663f7e9ab403cd2ad2ee2591d8689f785814fca293f

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
80KB

MD5
a3d6601da46da99e226c91fb270d8646

SHA1
55500ee19ed5c04adcafbfd5b2194bdb9ca7bf28

SHA256
9d92be8a030f4d0346cc485284c0420811f40767dd10eb1faa2e139fee831de0

SHA512
092aa67ccdf2dc421ebbbd9ba1c3e80e08a3ea607f3b49bb1c4ed1985bff94a33a072bb7edeaf4872ce2b6fdbd3ba762cf4f759fd3dcd806a8c7ef5ab03e3d5c

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
80KB

MD5
7c83ed71358b50fd8baf37f79366bf37

SHA1
4c9fc6b4e34c2a85633504d82be2925ec90c3c41

SHA256
6c76d77ef084f769ecf566e60dc42030935f3f6646983d0aa36eee1dad632d43

SHA512
b3056c5b657556af3d8f51223838ea0fc1c48a33c2e35d6183d9a5ac3a068e6f44943238009aff8e3a718131a3f6cf83a7b2332fb2429322f0c19ff85061dd7d

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
80KB

MD5
75afbae3f07b9737673ae6a19daaa0ce

SHA1
928e7c357a07ab21bdbbc8894edc862a9e020b49

SHA256
1b05b45ac4b49cce21119656f1e02072004bab1e75dbd95b280017f008693e25

SHA512
992ac788a14da06f2a3e90f4a8afbbf95fdc391145c09e31b68019c530fa826333425e7942fa4a026ae1ea67eef425eb3b5adae488651b4026b185e7a8b8c871

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
80KB

MD5
50f9c8bdd9088da3c4f7ff6b5923fed9

SHA1
3fcc5d682ba3cf69ea6f65fb1e6a4bb3e4ad7704

SHA256
160d774c0be653882e431b79c05165150267f19e19a5f3f75086f1916aa352aa

SHA512
9a58bea12a0e8fa7c993d2d9c5099e38edce1cb3c7aee7c64dc7c8a8da3e19a86d31d89196975e65cd914be59a0710bd970326ec978578693762b048b46fbc3f

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
80KB

MD5
cffce4e51933a4004544aca3f729ee67

SHA1
602ac65cf8eee2845c5e1f350ab2b14ee7121e9a

SHA256
833a3334be2aceadef8643108f2e71783fdb730d33d9f8db4ec6327f835caff3

SHA512
dc0f4f373935830c97648e4102fb301de3e549c7b68e856581ab5c116e84b5d7e356d24277993f3ccc717591dde15e01599bd81dddaa49212db79937c123ecb7

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
80KB

MD5
ebfb5d0a280d4cda272dae10a4d10799

SHA1
c664390ee9465d2412ea0a5625d0729191c4a282

SHA256
bf8264d3612dc2d2f897d707f2a18182f5bbad254645e2751abc7e7902a273ed

SHA512
5c058f3306986156404d4153cac730e20d74c9e7ddd6ac868c0f355209e4d1d7b473afb805c9b5a15ec13115a3527821817dac39a9ab95c76507f2f9452de799

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
80KB

MD5
e7c165968265310e93a31be17166f45e

SHA1
971b94e0dd5881051a350f4d0344a719f09b431c

SHA256
fd674523ad7f213fcc9858d5b0fd94ea5b2ffffc54153342cc53aceb97f80e13

SHA512
c8678340e9599fa1b9898722d16c6ac23038ff9af89ab2604f0cb196a2614238a74e80def3898de95a76200a7a179bb224e33c4bb888900b392886d49ba26601

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
80KB

MD5
3cfbd6a583bd3685f78e334624449bf5

SHA1
bd59bbd89e5e8887545b6f5859a24086e50a2958

SHA256
91bdfcdbff2b2c1778665365b9cc7312097b2124df50a7d7816ebfb6efd63965

SHA512
f5c58b3c416ad27e98cf87bc71a06237475ed60c8e7e79d1d34e171f6c21c8cbf135deb276a72798b7ace57344a008e749c6a2e7590ce389a355e37ac76df988

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
80KB

MD5
24b40514db6b43009b66c174df22df84

SHA1
68d674e39a93f65f8015ac3c556a6165a988286f

SHA256
a25f734d67c76dedff95aad9b1e45f5a97895062d8dd2a141936c1d7a9342048

SHA512
cd38979754be986c07e1b7c6e44d5d18af13a42e0c2ba387677889d69b35988650fd16378c5d73dd80d7ec671451271cbd183bfbf075541f06cac73fd2bf98f5

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
80KB

MD5
9fd725f5c3124b9caa674f520bbd2e55

SHA1
0e84d646b530c601382b12606669c8acd975147d

SHA256
884bbe98df162ca1a3845bab8110bff900948b86c8d1a99dcb9d5d1ff5592056

SHA512
24a200053a3e1aa85bf3a3fa9e27c500316c7caa6453b56ef59510e70db920dea41d7ef4791a652bdf85e3ec85c963b301f84fcdb9ab7f48b20cfd10448ae0e9

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
80KB

MD5
b64f449894336c41d9181f8011d47584

SHA1
521f6ed648dc74b70abd2432496e78da1b60aeac

SHA256
e0d02f412e146e29770fecb1b7f3664f9aca5a03ccdfa152d93c537d725093a6

SHA512
b22d3620c58c9f0f7eeb1be93f10c9a3bb04ab9ec2921d73eaf1e5780dc4c0b91d62d0d934ec205ee1b879822c90b28a2eb700b60714f355923c4ba93493cfe3

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
80KB

MD5
fbb3d258a119a0631a718e36f70307ca

SHA1
4af4b2eda59e92a3e5439df134e0937b3d0d7480

SHA256
4eaf3e6032acf109d7ea4b9d8b9157f10fc2c24a40e02f0f3738705e03614a7d

SHA512
b4000797cd43a443e5ae64a247bd63504e7433cb71b1a3238e449f696c1b458704e4a08f132c283c3831c911c3c8a3fa077257f2d3ba875392b5df65f5cef66a

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
80KB

MD5
c7302f84a04de1a0554518ff526098f3

SHA1
72ed8768a85014fac3ac6255b0adc9d34c667228

SHA256
4782bcbf09c1a2527ed3c345b08162e7e4d9002412e28496bb26b177b3b5c8f1

SHA512
792ef00945451e0da2543abb6d720820e62b608d593915dcc45095e537f66c9b10c4d5ce785b90061c290d5d911a5b9a3cc0ace841c8d6d7c7fa6428677a4e58

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
80KB

MD5
8a865380e84d10ade6e421f8f6ba8d68

SHA1
b580ff8067336cb172a418bcd1af6b6a5564298c

SHA256
0142f4796ff40426d514474d515f484ef529bc7885a9bec4b793d669f131af5d

SHA512
50e7d4fd7ab948aaf507055ad873c6e8e75b34fdfffccc6464ddbc9392f776790da74ef1569bd51baef6f1cdcfcfb4926c95d9e51c3934902e7cb9e449bf2c9d

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
80KB

MD5
fffa77766c49ab0265e37fa21f2d6592

SHA1
12750d619a96992ed10fa1e04a5c0e80abddc3ce

SHA256
1b1f5de86b5d54238a67f9565a9602c7fd6495838994c6435ad1ec3a9700345f

SHA512
0b5e06076a5d804af5287298fcc6068c933ae12c1ea416b041cfd0dea4378fe78ac30c69077e257e8f00dcc0c915859fb781c6f13121c3c5470ef67900af7605

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
80KB

MD5
6eae3b935f0aed15cd79a7843e81818a

SHA1
bdd83f006752285f8c86af5308d202ee5d7fca1e

SHA256
12133c29ce768c8808fae94cc6da3cd62c731744bb5a8cdcb7acc90bec6269c0

SHA512
cc54bd1a4ca0feacf395bb091b14b510fa6f46b009aafb0d14578c95d05f81b290d46f91fdcedd90aaac8dd57c4a503c1814b3a8a1203981c2988b314b21fef3

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
80KB

MD5
e5cc45b54ef2bcdcdad085205329cca4

SHA1
943dce21d0c4fa0b3db8089bb91f494c42069aa8

SHA256
0fc62ed7f7a85e33039339d6d9ec49863f6416eae0e9986ec1f4347a4614eea2

SHA512
a6b81b7d06457269c11f6c79f661f2afbdd0deb1ff3efca1bcaeb569c7aca0e6d8430dce22d8e047642e216a413282f2b0f4a76aa596299e386875172c63c555

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
80KB

MD5
bffcd15ef5084814c41031f05bba27f0

SHA1
0ebdce2b26052eac0c4bb7b2346f17d3399624f8

SHA256
1188c1b6a55d00a242ab1b94f9821444d8faa39a2e9d4ff0050ce54278a2af11

SHA512
6b808ff9d8f0c1c79991b2f5fce024b6296ed43439e23968663563e66f6951d4530c0e6016c9dd674e0abbae6f4b23bd9ccb564142d8617cb76a03f6dfbbae8c

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
64KB

MD5
ab3a612863366e6441cef6b567364b22

SHA1
7eace163da32424f4aaafc4e3ede2fa9588a7172

SHA256
1404d579933f304ab1a42cb3b5bd628930ed058660d42cf0d958a297cffdaa2a

SHA512
eb1f4123df3c61b7539aa9dad68c6ed9cb08f9789f387f17a5d32b5f32a0a83f749903b502e66292a2d3b76293d3a0db3f66e3e7f7d4a4036985a086f657580f

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
80KB

MD5
4e91716dcb8962e136162b18e90c3c80

SHA1
56b9679029da28e4ac92f4a5843660a4d93dac6c

SHA256
207b4b30e1ba7ff6e88f76a0b5e561bedabfc4ba80715c0b66fb58cd9cbf33c5

SHA512
0cbc276148c6c8ffb56df19fa4b594bcc382a545539e865864f316d543da786325ddc4d8ea5351680bcff8b0d28b9f9353e35bca03e33a2f55d300d3e501246a

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
80KB

MD5
b94fb41556776d3a8c1632488be202ae

SHA1
7061ea7202dbaa1ee707d5636044639334da6593

SHA256
3ffb6d6e3cbcc3db7b7c5b811784565dc9d308bb4d089e16775cb79812667a77

SHA512
e28f3704cea0fe3887976fc272c06aa113c053f7582ea315000dcc7944c325fe487fb45892492789ae0bb285580902959020eb13c10e5a2cabe8ed82eaeb7766

Download Submit
C:\Windows\SysWOW64\Jfkoeppq.exe

Filesize
80KB

MD5
9d27291a779ecb7b15e7de6717750605

SHA1
a4cf5e4b8baf21a08aa3ceb36c5b9b0ebabd2948

SHA256
7194eab73b77d4b36d063ff6b3064bd71221f8c60cce9cca7dd5abc049f4931f

SHA512
f5e1a2c4246ef3615bc802ba807eefb40d7f2bcd9ed249d42f07204496cef82f30dbd0fef4d1c1c9d53a281b8cb3001ef9ba38dc027ec2b2c37ef2d34f299fd7

Download Submit
memory/184-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/764-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/848-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/868-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1192-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1196-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1328-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1340-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1368-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1408-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1452-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1592-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1600-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1708-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1740-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1832-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1920-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1944-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2012-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2036-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2292-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2352-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2388-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2460-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2660-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2848-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3192-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3200-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3236-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3240-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3264-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3268-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3328-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3432-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3500-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3620-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3744-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3776-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3832-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3920-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3956-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4104-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4264-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4400-44-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-100-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4532-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4572-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4772-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4812-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-152-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4916-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4924-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5072-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads