a44e25d507ddd8af7e5310b97606da0a944abc654e7a0f89f19c4a24e3308c62

Analysis

max time kernel
146s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a44e25d507ddd8af7e5310b97606da0a944abc654e7a0f89f19c4a24e3308c62.exe
Size

113KB
MD5

8012e9e7f95aba858979c8a853a70ddf
SHA1

e9cb42f92b4c7f2f55c20e4c9a9eb1b7ee2bce46
SHA256

a44e25d507ddd8af7e5310b97606da0a944abc654e7a0f89f19c4a24e3308c62
SHA512

f229c1774fb633c64af4d30d04d626ea7f7f001e931e6eec65f0d007d21b1bf7e9d3974d600f31146e62f4b51d0453944f3d8164789878f65e6a9c850f381550
SSDEEP

3072:jO6gOkqqTj1msdKkbugCe8uvQa7gRj9/S2Kn:jGhjjbISMRNF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fobiilai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djpnohej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe

Executes dropped EXE 64 IoCs

pid	Process
4148	Djnaji32.exe
2476	Dllmfd32.exe
3144	Dphifcoi.exe
1132	Djpnohej.exe
5712	Dhcnke32.exe
6132	Dpjflb32.exe
5496	Domfgpca.exe
4156	Efgodj32.exe
4044	Ehekqe32.exe
3152	Epmcab32.exe
5196	Eckonn32.exe
3464	Ejegjh32.exe
3468	Ehhgfdho.exe
4200	Eoapbo32.exe
5412	Eflhoigi.exe
1804	Ehjdldfl.exe
2252	Eqalmafo.exe
2908	Ebbidj32.exe
5296	Ejjqeg32.exe
5400	Eqciba32.exe
5096	Ejlmkgkl.exe
1464	Ehonfc32.exe
6112	Eoifcnid.exe
1992	Fbgbpihg.exe
5772	Ffbnph32.exe
5984	Fhajlc32.exe
5136	Fqhbmqqg.exe
5308	Fcgoilpj.exe
2132	Ffekegon.exe
3340	Ficgacna.exe
4684	Fqkocpod.exe
2784	Fcikolnh.exe
624	Ffggkgmk.exe
6096	Fifdgblo.exe
5508	Fopldmcl.exe
4036	Fckhdk32.exe
860	Ffjdqg32.exe
1956	Fmclmabe.exe
3760	Fobiilai.exe
2664	Fbqefhpm.exe
4680	Fjhmgeao.exe
5648	Fqaeco32.exe
4424	Gbcakg32.exe
2528	Gfnnlffc.exe
3008	Gimjhafg.exe
2512	Gjlfbd32.exe
6092	Giofnacd.exe
1036	Gqfooodg.exe
3624	Gcekkjcj.exe
4432	Gjocgdkg.exe
2148	Gmmocpjk.exe
3460	Gpklpkio.exe
4016	Gfedle32.exe
4152	Gidphq32.exe
5392	Gqkhjn32.exe
5372	Gbldaffp.exe
5260	Gjclbc32.exe
5156	Gmaioo32.exe
4340	Gppekj32.exe
3108	Hboagf32.exe
5224	Hfjmgdlf.exe
3488	Hihicplj.exe
2380	Hapaemll.exe
5116	Hpbaqj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kkpnlm32.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Bbbjnidp.dll	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kkpnlm32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Kipabjil.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Gagaaq32.dll	Ejegjh32.exe
File opened for modification	C:\Windows\SysWOW64\Ejjqeg32.exe	Ebbidj32.exe
File created	C:\Windows\SysWOW64\Ehbccoaj.dll	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Jiphkm32.exe	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Kaqcbi32.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ffbnph32.exe	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Iblilb32.dll	Fmclmabe.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hbckbepg.exe
File opened for modification	C:\Windows\SysWOW64\Himcoo32.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ffekegon.exe	Fcgoilpj.exe
File opened for modification	C:\Windows\SysWOW64\Fifdgblo.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Gjocgdkg.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Ojmmkpmf.dll	Kpepcedo.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Ehekqe32.exe	Efgodj32.exe
File created	C:\Windows\SysWOW64\Ehjdldfl.exe	Eflhoigi.exe
File created	C:\Windows\SysWOW64\Hdgpjm32.dll	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Eqalmafo.exe	Ehjdldfl.exe
File created	C:\Windows\SysWOW64\Hibljoco.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Impoan32.dll	Iikopmkd.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Fbgbpihg.exe	Eoifcnid.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Ebbidj32.exe	Eqalmafo.exe
File created	C:\Windows\SysWOW64\Oijnep32.dll	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Fckhdk32.exe	Fopldmcl.exe
File opened for modification	C:\Windows\SysWOW64\Gidphq32.exe	Gfedle32.exe
File created	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7416	7356	WerFault.exe	289

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Milgab32.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmige32.dll"	a44e25d507ddd8af7e5310b97606da0a944abc654e7a0f89f19c4a24e3308c62.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Domfgpca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgjkamf.dll"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngiehn32.dll"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopeje32.dll"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dphifcoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkind32.dll"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagmapfi.dll"	Eqciba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcedaheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehhgfdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 4148	2364	a44e25d507ddd8af7e5310b97606da0a944abc654e7a0f89f19c4a24e3308c62.exe	84
PID 2364 wrote to memory of 4148	2364	a44e25d507ddd8af7e5310b97606da0a944abc654e7a0f89f19c4a24e3308c62.exe	84
PID 2364 wrote to memory of 4148	2364	a44e25d507ddd8af7e5310b97606da0a944abc654e7a0f89f19c4a24e3308c62.exe	84
PID 4148 wrote to memory of 2476	4148	Djnaji32.exe	85
PID 4148 wrote to memory of 2476	4148	Djnaji32.exe	85
PID 4148 wrote to memory of 2476	4148	Djnaji32.exe	85
PID 2476 wrote to memory of 3144	2476	Dllmfd32.exe	86
PID 2476 wrote to memory of 3144	2476	Dllmfd32.exe	86
PID 2476 wrote to memory of 3144	2476	Dllmfd32.exe	86
PID 3144 wrote to memory of 1132	3144	Dphifcoi.exe	87
PID 3144 wrote to memory of 1132	3144	Dphifcoi.exe	87
PID 3144 wrote to memory of 1132	3144	Dphifcoi.exe	87
PID 1132 wrote to memory of 5712	1132	Djpnohej.exe	88
PID 1132 wrote to memory of 5712	1132	Djpnohej.exe	88
PID 1132 wrote to memory of 5712	1132	Djpnohej.exe	88
PID 5712 wrote to memory of 6132	5712	Dhcnke32.exe	89
PID 5712 wrote to memory of 6132	5712	Dhcnke32.exe	89
PID 5712 wrote to memory of 6132	5712	Dhcnke32.exe	89
PID 6132 wrote to memory of 5496	6132	Dpjflb32.exe	90
PID 6132 wrote to memory of 5496	6132	Dpjflb32.exe	90
PID 6132 wrote to memory of 5496	6132	Dpjflb32.exe	90
PID 5496 wrote to memory of 4156	5496	Domfgpca.exe	91
PID 5496 wrote to memory of 4156	5496	Domfgpca.exe	91
PID 5496 wrote to memory of 4156	5496	Domfgpca.exe	91
PID 4156 wrote to memory of 4044	4156	Efgodj32.exe	92
PID 4156 wrote to memory of 4044	4156	Efgodj32.exe	92
PID 4156 wrote to memory of 4044	4156	Efgodj32.exe	92
PID 4044 wrote to memory of 3152	4044	Ehekqe32.exe	93
PID 4044 wrote to memory of 3152	4044	Ehekqe32.exe	93
PID 4044 wrote to memory of 3152	4044	Ehekqe32.exe	93
PID 3152 wrote to memory of 5196	3152	Epmcab32.exe	94
PID 3152 wrote to memory of 5196	3152	Epmcab32.exe	94
PID 3152 wrote to memory of 5196	3152	Epmcab32.exe	94
PID 5196 wrote to memory of 3464	5196	Eckonn32.exe	95
PID 5196 wrote to memory of 3464	5196	Eckonn32.exe	95
PID 5196 wrote to memory of 3464	5196	Eckonn32.exe	95
PID 3464 wrote to memory of 3468	3464	Ejegjh32.exe	96
PID 3464 wrote to memory of 3468	3464	Ejegjh32.exe	96
PID 3464 wrote to memory of 3468	3464	Ejegjh32.exe	96
PID 3468 wrote to memory of 4200	3468	Ehhgfdho.exe	98
PID 3468 wrote to memory of 4200	3468	Ehhgfdho.exe	98
PID 3468 wrote to memory of 4200	3468	Ehhgfdho.exe	98
PID 4200 wrote to memory of 5412	4200	Eoapbo32.exe	99
PID 4200 wrote to memory of 5412	4200	Eoapbo32.exe	99
PID 4200 wrote to memory of 5412	4200	Eoapbo32.exe	99
PID 5412 wrote to memory of 1804	5412	Eflhoigi.exe	100
PID 5412 wrote to memory of 1804	5412	Eflhoigi.exe	100
PID 5412 wrote to memory of 1804	5412	Eflhoigi.exe	100
PID 1804 wrote to memory of 2252	1804	Ehjdldfl.exe	101
PID 1804 wrote to memory of 2252	1804	Ehjdldfl.exe	101
PID 1804 wrote to memory of 2252	1804	Ehjdldfl.exe	101
PID 2252 wrote to memory of 2908	2252	Eqalmafo.exe	102
PID 2252 wrote to memory of 2908	2252	Eqalmafo.exe	102
PID 2252 wrote to memory of 2908	2252	Eqalmafo.exe	102
PID 2908 wrote to memory of 5296	2908	Ebbidj32.exe	103
PID 2908 wrote to memory of 5296	2908	Ebbidj32.exe	103
PID 2908 wrote to memory of 5296	2908	Ebbidj32.exe	103
PID 5296 wrote to memory of 5400	5296	Ejjqeg32.exe	104
PID 5296 wrote to memory of 5400	5296	Ejjqeg32.exe	104
PID 5296 wrote to memory of 5400	5296	Ejjqeg32.exe	104
PID 5400 wrote to memory of 5096	5400	Eqciba32.exe	106
PID 5400 wrote to memory of 5096	5400	Eqciba32.exe	106
PID 5400 wrote to memory of 5096	5400	Eqciba32.exe	106
PID 5096 wrote to memory of 1464	5096	Ejlmkgkl.exe	107

C:\Users\Admin\AppData\Local\Temp\a44e25d507ddd8af7e5310b97606da0a944abc654e7a0f89f19c4a24e3308c62.exe
"C:\Users\Admin\AppData\Local\Temp\a44e25d507ddd8af7e5310b97606da0a944abc654e7a0f89f19c4a24e3308c62.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\Djnaji32.exe
  C:\Windows\system32\Djnaji32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\SysWOW64\Dllmfd32.exe
    C:\Windows\system32\Dllmfd32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\Dphifcoi.exe
      C:\Windows\system32\Dphifcoi.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1132
      - C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5712
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6132
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5496
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5196
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5412
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5296
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5400
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6112
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        26⤵
        Executes dropped EXE
        
        PID:5772
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5984
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5136
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5308
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        30⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        31⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:6096
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:860
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        42⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        46⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        48⤵
        Executes dropped EXE
        
        PID:6092
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        49⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        51⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4016
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        55⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5392
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5372
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        58⤵
        Executes dropped EXE
        
        PID:5260
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        59⤵
        Executes dropped EXE
        
        PID:5156
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        62⤵
        Executes dropped EXE
        
        PID:5224
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        63⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        64⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        66⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        67⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        70⤵
        Drops file in System32 directory
        
        PID:6136
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        71⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2224
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        74⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        75⤵
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        76⤵
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        77⤵
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        78⤵
        Drops file in System32 directory
        
        PID:5236
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        80⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        82⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        83⤵
        Drops file in System32 directory
        
        PID:5332
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        84⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5628
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        87⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        88⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        89⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        90⤵
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        91⤵
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        92⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2860
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        94⤵
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        95⤵
        Drops file in System32 directory
        
        PID:1712
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        96⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        97⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        98⤵
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        99⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        100⤵
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        101⤵
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3240
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        103⤵
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6108
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1340
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        108⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        109⤵
        Drops file in System32 directory
        
        PID:4840
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        110⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        112⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4920
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5168
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        116⤵
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        117⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        118⤵
        Drops file in System32 directory
        
        PID:4308
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1196
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5064
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        122⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        123⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        124⤵
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        125⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        126⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        127⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        128⤵
        Drops file in System32 directory
        
        PID:4268
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        129⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        130⤵
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        131⤵
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5464
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        134⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        135⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        136⤵
        Drops file in System32 directory
        
        PID:4228
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        139⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        140⤵
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        141⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        142⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        143⤵
        Drops file in System32 directory
        
        PID:6308
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        144⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        145⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        146⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        147⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        148⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6564
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        150⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6648
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        152⤵
        Modifies registry class
        
        PID:6684
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6732
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6768
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6808
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6856
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        157⤵
        Modifies registry class
        
        PID:6896
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6940
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        160⤵
        Modifies registry class
        
        PID:7028
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7076
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        162⤵
        Modifies registry class
        
        PID:7120
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7164
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        164⤵
        Modifies registry class
        
        PID:6188
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        165⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6300
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        168⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6540
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6616
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6752
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        173⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        174⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        175⤵
        Drops file in System32 directory
        
        PID:6964
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        176⤵
        Drops file in System32 directory
        
        PID:7060
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        177⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        178⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        180⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        181⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6636
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        182⤵
        Modifies registry class
        
        PID:6724
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        183⤵
        Modifies registry class
        
        PID:6924
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        184⤵
        Modifies registry class
        
        PID:7024
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        185⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        186⤵
        Drops file in System32 directory
        
        PID:6424
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        187⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        188⤵
        Modifies registry class
        
        PID:7004
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6276
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        191⤵
        Modifies registry class
        
        PID:6148
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        192⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        193⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        194⤵
        Modifies registry class
        
        PID:7216
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        195⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7276
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        196⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7316
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        197⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7356 -s 400
        198⤵
        Program crash
        
        PID:7416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 7356 -ip 7356
1⤵
PID:7384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
113KB

MD5
aef964de3cb7a49c6f1d0d8f6f76f906

SHA1
9f1007f3cbe4ea93dfbd88e6ffdae2ce8664a5fb

SHA256
02d8d776d7590bc1c336df21f52ae51127bbda7fcb4115adce0d11251cecd35c

SHA512
93e2ce679105851b214998705f56b173fbdd8c731e6664de4f0d952f7618edb86f8eb5729124996d187b931c1365144d2d6ece5c8c25a2839654a1de0b31e81c

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
113KB

MD5
60482be9ad1dc5223b0c048f5f74442c

SHA1
e745929f9af5ae4950c49afea6047257c41a8409

SHA256
bf43499d16bc9fdf91ec901a1ed7c4ba628f7edd24870c81d52129d0cbbb2cd5

SHA512
d2d919372ece981bbfdddef1b5ecfa65938e56c199863e3b8500c3557b6c7040e6baccb07bbab444b856a4a79c7d00978f908f198c3d29d8b3c1c2cd2e346782

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
113KB

MD5
3ba39dcb44d0b264e7d624335ca34459

SHA1
642b72868b228fd37c33cf58d0d77dbe138a04f0

SHA256
e72ee6ffc774df202456ea4246ea866668be0631a00e93f50ae5cb3b15f7d2d0

SHA512
ce3058d49e81aae34f0e3e55fc98b8baea81782a5c9fae37d0fe62a984b41b03553286002cbd178312d621f8de48c0bff15ee7a5420af24d191c4907c63f1f92

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
113KB

MD5
acfdc3fad074b0bed84bc8d3bc53bea5

SHA1
95eb30906fe5015742eb5dc2c8382ea9d059d95b

SHA256
d6ca2efba2851854bbadea97a80ce64525048abdc243469eb99f94ae47b6957f

SHA512
1dd2933df7ae5b18541bdf7874766c27d35f4baa26a533ba8cfb94f5d717b9571a303fa28283f0d9d0024960291c4504c5ae78ce6dce6e3eccf426ad56d8fe20

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
113KB

MD5
b1314670804f4a751d6da6779b24633f

SHA1
10572f4455f4060c7a09b0b6c75d8efcf84d8174

SHA256
ddaeb8ad58236ecfcef9f101747330b5dc6a8e5c712e3c0b4c8cb5f692069697

SHA512
0218d110bddaf135b80f9766ee1a71415797e81a64c873bcea06d35a181db6959e06f12ac1538ed91a3b0a3a8adc3ca3f802acf99281874ec78152ed7d911e40

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
113KB

MD5
a74e38303fbb08247a121af9c9572660

SHA1
3419b76e0f3344088719ea83e3fab4767bda4e32

SHA256
495673822f9369e160f69279a71ab685cf5e4ad52893ae978a0d835a6b07d64e

SHA512
244a594fe7df6cf728c60d9270456b5f45af2d3f1ef88d60e19093a7d2f163238b810e668b9b640e45074e784172f2a067dd2b0017f9bc698cbeb8c9c6859dfc

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
113KB

MD5
6b9e96d149136e3e2355da661cf63afe

SHA1
091416812d0aeddbe239a09031fd334f4cd411c2

SHA256
6499ea49f0c40e90e894c6e80324659606df8f96e84c9dd8290913a95b9ff2cf

SHA512
adb9c651c5570ee0ac85157b7f6dae71027c4ed6bc30096a4e2fb9c7b64d991734a1cc55b40a0987a52f13db4e6988c0fb91b9dc60c4cb2b05878bc617068d59

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
113KB

MD5
67583c12f6020528617ba49807135bdd

SHA1
ddf73701057b83640e97f7781cd306078f853df4

SHA256
4ad7bfa9b809edcb3a55b3f2405f262b93d2116c200b5669b781778e936ebf72

SHA512
4c3d1093325e36b851a74597d4a16b67c96e2f47f3010ca137c90dadfda9cb138932279cdc27de52a146d62e354f426e23d03f6f9fd8e97924d0311507d0c360

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
113KB

MD5
55f4621d60fbfeac702e0fd36b842800

SHA1
4d68fde8094ebe685f7434c1d534061865c3a2de

SHA256
64f20eb74f0edc53d753f0118bd139ecf85405e54cdd07fc03e8c025469df112

SHA512
fbccbf10ffeb19c2a46eca0dcac105b9172db01abb6c10c79ddb673674d7b3bbc021404418803e440a1e41882eb87e094a4b82cc5f6fac1bdf9621b2bf263dc8

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
113KB

MD5
fcb2aca0d69dc74ad6d5b1f25c82f1ee

SHA1
ad089db88915f46d03ad616f1a79167f92ae9867

SHA256
cf25158aa7c1171065686dc9c1efc150910aa25932c51347b0caa76dbe7dee48

SHA512
9fd5d69ee92df5daceb7cab2d31afc291a4585122e85beb10a68d4e29f8b524b702853600ea0b4fc04520970c8db6c166e1da793bfba31d4440fce189a9831ca

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
113KB

MD5
f2efd3d70813a4facb5d848470692f5b

SHA1
e2a12f06f9a85b2c7e9181aa987787ada30899f3

SHA256
b0fc0d449bfba376256c17a3d09ab91daa7354ca924f8eb2ef2a9da023965f2a

SHA512
530e49b9a276827ebbb20f4b8a4dd7f25a4e6a411c404ad4db7466a71f36b51785436db5838a9c2a159a41f425164f3571c3614efb7fbc54852f56ede198aea2

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
113KB

MD5
1e7a912251955ab219cb038306447ad7

SHA1
b3f6c4992e8949b797711bb00f05aca7d779e816

SHA256
89813e8cd0b648af7f52ce4d0d2da0bd0f2868bbd0e45fff9e004e065bb3e28d

SHA512
0a27d4cd9cd9dac557b578ae9a7a15a9b622aa7268b3c55745324add804419d94638c0f47e8a87f0f9c15be5e95fee31c881e78ac3f423a3639959be134d6b26

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
113KB

MD5
511846757e928365aacb9819a17138f1

SHA1
784c3f1eb496dee645316726ae6d3a50122d78cb

SHA256
3966f1ddac0ba272eb33c11eb7b8d524c4739aaa272e1c3c3214149d2d5657cc

SHA512
4fc4596f029b2163d1e365408d65a4c154597210986a18e5f97a48f96fbbb5ca25b2c729f4984ed6cb07fc455caffdf91ed89ab9579e83cf27a58ac5cc9309d3

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
113KB

MD5
6901a0dc2edec42bafa68fbb8cc0a8ad

SHA1
9b22eec21e56d2362db84271771c8990055eac96

SHA256
bd0cd12911a3bc518c98aec61bcb24d1a0f452b84bc3f7b6bf9ecd881cc97a1f

SHA512
2556b681a6a4463ef9aeb4cd597cd13ba77bb2bcc6c2090b9aeb4d791f5e128f8eecdb90c82cde17b9ff4550fee02d669cd070c6822c5dd966c9f7712e14189d

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
113KB

MD5
c3398b5c5a76680b7656af04f81f5d4f

SHA1
47b1cc808eb203f2c87ac4de0e188053acb5efaa

SHA256
a89fb16cc6a83bf7887654658914bf88b8b341abc7663846e4851530c0b305c8

SHA512
593950160b8122094cccd3df7751348c824bbf9385dca0d77bd84bb8a208c57790dd2294fb23d05ac397eb99fa3a2542f9fa9fd5e683dc34f61c3ef91524d363

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
113KB

MD5
a0330b95ceb17c7149390b11b0bc93ed

SHA1
3716b6a331d837dda52759174c799eba82f697a2

SHA256
98d5840cc6812ee54e1b72e105003933074059f9e48ad5a8b566760a28ed7acb

SHA512
9e73db43bda8679a0912e4ebc2dfa101ddd16deba08be7c938c90c965239bd3f55aef7669377e42132afa5ea0b7ae923118fb53cb4fc92f027578326dff52f42

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
113KB

MD5
304fba3a385113a99bc188bde943eabf

SHA1
28ed6e3332db776d272ab098799cb53fd08fb58b

SHA256
f55147b5e2069e6c744670863881d25da0ab323d48c88909f913715bf0670e37

SHA512
61c6d60ee5118cd7aa7601a699b2c4a7543ccb495f04dea37d57ca8ffa38dde36784237e26ae462e6cd75930c002fa216b7e0eab29c7b29a55021467bd4cacb2

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
113KB

MD5
3f3cc27e3201d44d52f67e1783fca879

SHA1
b507ca158ecd83647611cc704ab83a6bc9d4b34f

SHA256
29ceb07b8e4da4e21b1928a404b36ab9a677400cf6b49409197614eb2b929675

SHA512
2498d200c1ddb30dd6edbde0fa4ece074f27ef35e9d65df8bd1de20e2ca03dbd97eb3560139b2240e011d15b9ec17b5e5c1d25bfb4158bb63f4b4e990043784b

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
113KB

MD5
a4815d01e4c97cfa66f923ffcfa28ddb

SHA1
dcc07ffed61cb7594bc9fccb9409168484744edb

SHA256
c29d6f2f30501041ae536ab8836c3316a94c7d00c7db42a6dbcbb66b9c840c95

SHA512
22f506b6f8992d57c33c66ec180dc7e5fe6f4dc6b6d2ed5a776a982e58edd73967a44e492e7ba40ab734c9653e8a5b1cb0da72982e3fda283eea74cc47f3f4fb

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
113KB

MD5
9c18499f05bece08e8edefd64c579c66

SHA1
7c09cd73f21f5c7b5399bf60592a46228ff9c715

SHA256
c35302266660765c595d07949a5829c4f9362d810c92b9282e80a01b5e8d1b8b

SHA512
8501233cf549482fee62f38921a1ff69417bc1b92ab40273ee556215abce0cf6bcef726b5b7c7d0e5c45ed9df8116b59e6ae67e4fcc52936c114b7e71c3d64d1

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
113KB

MD5
4f5f6bf89a20f931b6f75fd15fcd4fe0

SHA1
27a2fbdb895624dbcd2887e089f7edfca2914524

SHA256
a3cdfc70fe41e635e8b5a61dd7c29a8b96e6f4ade6da87093681429d7ec3a457

SHA512
bb86b202cca60e5440f4ca39eaca6176ff91b1f9f83f11d2e7b1579e5def98f5c3b8ab55fa6949f41ff23d810053259ef6a0eb5015c0edfea5d4512d224e7c92

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
113KB

MD5
88b5597091b98881a3d350f8b0401bfe

SHA1
efee4da237a116df5a42dae700f5b695717a7bf6

SHA256
218ae083c9c84f4cb67adb0f1f74bfe27f3b35b7d1a614067f4b8131219886e3

SHA512
620332b58aa5c63c19838ce64b723083f4b0c0516fea7429d27d1a15aed214f385fe1d0adb10bfa114bc2bc541cbe8fad58781ab1e536048dc49f70fb20a5cbd

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
113KB

MD5
5c2e83f9a00ba867b2a99b3e8e1b8b5a

SHA1
27fd88f965df303069931830e46be564d21a103d

SHA256
ca9312e1ceddc6d67fcb5dc6947523af488458deb84afb1dfc83ab0e325cd567

SHA512
c244615fa86c5c7b7157e61f5b31cd99085f05761be5475f373d2683b20838681cac2edf368f295e21ed6c6f5595882be005711caccd1a43a64db8776f3fbcb4

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
113KB

MD5
03162fe995fd35ea912e1cd2e640476b

SHA1
33f808d1ec12ff9c9826044f019df3065d0ef957

SHA256
17c8328afe51ff61643b367d213cc4aa5cefc27eb55bd4ed1b4a930fb9e6a435

SHA512
9659a563752ac9f2faf40a3eb0761482134a5bcf9052d1efcf2b80f40e57212244111324cf4f31e7c996a15e1e85077f371a0bfce8b57e5a04d68b7b80e26a5a

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
113KB

MD5
65ff811567d9b5e33dd2346b2f4b9f14

SHA1
4353dd08f795b2b418c8ef4819370805a394d9c8

SHA256
4af0c913ed93efd254039930d6ec6b520352516fd7bf377a72d9712c7dfebf31

SHA512
018d7c21d3beea380e580312b028f2dba804e30abb5ba028db79a3410c14999ee1a048d708241f0aa4c92d7bc023cd38c8f7c4fa4a8d42847bf2be09631eebb9

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
113KB

MD5
8f01b86185c98d995d45709df3496dbb

SHA1
3c3d7b6231681da8adc7372bcae110752e3f4a27

SHA256
2a4c41dc6e77f64f2beb132c5e707a825b26ef7cb357b507ed94e288edb554c3

SHA512
432ece59d00700da3efc967c25b18eec4faf5acb683194e3491915b22cd4ca510847e81576f5569f4f119d0d2fbd4851d596ff02e39e5c01f739cf40dbe382e5

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
113KB

MD5
4d21d319ef1b9b3481c6961d0dbb15c6

SHA1
7076ab91726c4cc9eb20c8e180f549353e4562e3

SHA256
dd73352279ca58428c14dac64b36a4e5e435fb4ef894217414b1f0416dbebf88

SHA512
d29579daf196eec49360db88cddfbfa21e806d7f9382728a63d5a8d173c827ad7ec951c431acf0ceb33154a222acd51a21b3ae8d31d02f831727a52e85817535

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
113KB

MD5
0ac416a3a3ff45d56aa831e43628b13b

SHA1
e386c504250e4012c0b368fa78c2255078212a10

SHA256
28f7cd84b3354cf8eacc2fbe05d0483d3853977e693ae81bd5f58744c03af0d7

SHA512
52ab5264470409fdb1bffd1894242efbbef260d4b05f521d5f515d50c67cdc22306628d553495a84d624be227a4877cdd7658a0482da22018e67fddf4f94cff8

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
113KB

MD5
3e8774fd5b5c66ec2322fcd3d8e677ee

SHA1
ed8b2530e70167d58270962a5c3e45bb35fe6abb

SHA256
78dc42d90d74f959e65e82be2bfc138ce537080c27d3167aa5da5d838649c751

SHA512
f72f9eb9cc709e903d5f0bdfe04710293561e370ee9c86726aed91507d784268c9d08cbe0353adedf8ac1def4b2a09b4db576af833e830dc759833590e39ae00

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
113KB

MD5
2e45e5fbb28f3efba1a8306a1273e5a3

SHA1
6ad57feb2e58feb77e42baad90e9d92733b30a0b

SHA256
35337f447962cb54e2837d66a4bf0346c1e5ce194ad8128c4a28ea5f5c1d6db8

SHA512
02e239db580031b053678a2affe48049971d1deaed17c0ce5f71cdf9fbf5f091072cd296474d91c2c581aaf09a6b540135aa01adcea92b6d6eb3a2e9d68c196c

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
113KB

MD5
ff44fcd677cbb1b0fcc1f344b8be7339

SHA1
51e177062f5c1b84e2e4cbeaee0d60a6814cfaf6

SHA256
902052de3846b25c7b8d63466ab175322cd1cc8aecb58d764904f85406a3a3d3

SHA512
7b6cc8da809bb024b0a5c9679fdb62719f330d61f0cba21f2a03594efbb2e075018a5d9983acceed41d1b379c3a2ee8d4e755449f9219cdd0b2574384a3831a6

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
113KB

MD5
37908fe6bcae4a1e683dd30f28c36ed4

SHA1
3e5f30e5139e12cce94770fb2acf2c5d8fc6ead2

SHA256
c64423859947dde5468e3ad5393b91105fc028826e20529fc5ea6e203cbb2c36

SHA512
3d2f8bba664f03e06a6198a8af6d7280ad399c1674bec32d1c7289d31d810bd63c0328e51bac53433c51caae039f589d1a72fe7d9e2c9cbd2794c65b67d0e001

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
113KB

MD5
a3052ae9369f8b42f023579a58522675

SHA1
a5cc6792ad95a995c51cbafc1b0476f255a045bf

SHA256
eeeade546bc6085029b6f1d78200b31470a9000b5cd610b89d0f9e592f5dc5e3

SHA512
5333243c75c2e3b46f1eb6c62c1cc3f41feed671fc987074906435f046377045ec37f75e4083516d766047175bbc8911b8c336927ea386120668dbe5753a7975

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
113KB

MD5
013134590d792874d438691fd7da20f2

SHA1
b04a352842a428e0e6cbd6b7260ed9fe8d04d2b5

SHA256
ea27ae91253f7c47d4b112f050e6a2d66330a3e03631374f31b48660bd5a0283

SHA512
c2c7acd9bfb405f2e92c7471ff3ab375a0a9a707018801f8207e28811dc615f119a107a29a7a75b319edd49aa67c459e8d9e360115c8f36e25b5e93e92d236b5

Download Submit
memory/624-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/860-287-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1036-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1464-177-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1804-129-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1956-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2132-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2148-371-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2252-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2364-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2364-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2476-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2512-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2528-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2664-309-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2784-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2908-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3108-430-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3144-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3152-84-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3340-245-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3460-377-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3464-101-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3468-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3488-437-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3624-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3760-299-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4016-383-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4036-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4044-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4148-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4152-389-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4156-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4200-113-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4340-421-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4424-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4432-365-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4680-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4684-249-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5096-173-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5136-217-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5156-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5196-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5224-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5260-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5296-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5308-229-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5372-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5392-399-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5400-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5412-121-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5496-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5508-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5648-317-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5712-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5772-201-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5984-209-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6092-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6096-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6112-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6132-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads