e51e3213170f8187d055124fe663122a24c9663e33ca26fefc0c0f30f6593d9d

Analysis

max time kernel
141s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e51e3213170f8187d055124fe663122a24c9663e33ca26fefc0c0f30f6593d9d.exe
Size

96KB
MD5

0c74df70904d1b45617cdd638bf9322a
SHA1

ae7a4f03fb449f00d40f5eb7c64b4119a41580f1
SHA256

e51e3213170f8187d055124fe663122a24c9663e33ca26fefc0c0f30f6593d9d
SHA512

8d1cbe718ed4766eca10cd1dad025aa6178f829ff8676060444d177c4f8ba388a4c5f010e9be27c6860191400141ad8f7e4e02f30e824a13fb52e7b49ed33616
SSDEEP

1536:JjwBTeHPJ0OVUybL+jGc0Fd5Y3YnY9fKNBrSQ0nrVo9JPPhrUQVoMdUT+irF:hoMVUy2jG/z5i0YRK3psVo9JPPhr1Rhk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoapbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbgbpihg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dlojkddn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqaeco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e51e3213170f8187d055124fe663122a24c9663e33ca26fefc0c0f30f6593d9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbcakg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e51e3213170f8187d055124fe663122a24c9663e33ca26fefc0c0f30f6593d9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dakbckbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gbjhlfhb.exe

Executes dropped EXE 64 IoCs

pid	Process
916	Dphifcoi.exe
4148	Dcfebonm.exe
4712	Djpnohej.exe
3764	Dlojkddn.exe
2036	Domfgpca.exe
3944	Dakbckbe.exe
648	Efgodj32.exe
4100	Ehekqe32.exe
4412	Epmcab32.exe
4584	Eckonn32.exe
4644	Ebnoikqb.exe
4804	Ehhgfdho.exe
3388	Eoapbo32.exe
3320	Ebploj32.exe
468	Ejgdpg32.exe
688	Eleplc32.exe
4856	Eqalmafo.exe
3932	Ecphimfb.exe
4688	Ejjqeg32.exe
3616	Elhmablc.exe
4084	Eofinnkf.exe
2552	Eqfeha32.exe
4716	Fbgbpihg.exe
3360	Fhajlc32.exe
4464	Fqhbmqqg.exe
4516	Ffekegon.exe
1828	Fjqgff32.exe
380	Fmocba32.exe
1084	Fcikolnh.exe
4836	Ffggkgmk.exe
4288	Fifdgblo.exe
5040	Fqmlhpla.exe
4440	Fbnhphbp.exe
4200	Fjepaecb.exe
3292	Fmclmabe.exe
1352	Fbqefhpm.exe
2568	Fmficqpc.exe
1728	Fqaeco32.exe
2496	Gbcakg32.exe
1856	Gfnnlffc.exe
1468	Gmhfhp32.exe
2348	Gcbnejem.exe
1224	Gfqjafdq.exe
2516	Gmkbnp32.exe
3652	Gcekkjcj.exe
2216	Gfcgge32.exe
4336	Giacca32.exe
1140	Gqikdn32.exe
1424	Gbjhlfhb.exe
556	Gidphq32.exe
5036	Gpnhekgl.exe
2544	Gameonno.exe
4692	Gppekj32.exe
3140	Hjfihc32.exe
3340	Hihicplj.exe
4572	Hcnnaikp.exe
872	Hikfip32.exe
3904	Hcqjfh32.exe
1600	Hfofbd32.exe
4360	Himcoo32.exe
4812	Hccglh32.exe
1072	Hfachc32.exe
2904	Hjmoibog.exe
1240	Haggelfd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dbppbgjd.dll	Dlojkddn.exe
File opened for modification	C:\Windows\SysWOW64\Ejjqeg32.exe	Ecphimfb.exe
File created	C:\Windows\SysWOW64\Dmnlpfhd.dll	Fcikolnh.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Efgodj32.exe	Dakbckbe.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Fmficqpc.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Domfgpca.exe	Dlojkddn.exe
File created	C:\Windows\SysWOW64\Eqalmafo.exe	Eleplc32.exe
File created	C:\Windows\SysWOW64\Bofjdo32.dll	Fbgbpihg.exe
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fifdgblo.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gfnnlffc.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Fmficqpc.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Ibojncfj.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Eoapbo32.exe	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Bejnmepn.dll	Eleplc32.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Elhmablc.exe	Ejjqeg32.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Imbaemhc.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Ikjmhmfd.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Hfdcbdnc.dll	Ebploj32.exe
File created	C:\Windows\SysWOW64\Bppheeep.dll	Eqfeha32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Fqaeco32.exe	Fmficqpc.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hbhdmd32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Djpnohej.exe	Dcfebonm.exe
File opened for modification	C:\Windows\SysWOW64\Djpnohej.exe	Dcfebonm.exe
File opened for modification	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gqikdn32.exe
File created	C:\Windows\SysWOW64\Imgkql32.exe	Ijhodq32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Pkbjnl32.dll	Hikfip32.exe
File created	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kaemnhla.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7052	6972	WerFault.exe	240

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e51e3213170f8187d055124fe663122a24c9663e33ca26fefc0c0f30f6593d9d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djpnohej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Ffggkgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmficqpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejnmepn.dll"	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hihicplj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miimhchp.dll"	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkdha32.dll"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpckhigh.dll"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfogkh32.dll"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibooqjdb.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkageheh.dll"	Himcoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggmlbfpm.dll"	Domfgpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffekegon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacdmi32.dll"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eckonn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghekack.dll"	Fmclmabe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 916	3052	e51e3213170f8187d055124fe663122a24c9663e33ca26fefc0c0f30f6593d9d.exe	86
PID 3052 wrote to memory of 916	3052	e51e3213170f8187d055124fe663122a24c9663e33ca26fefc0c0f30f6593d9d.exe	86
PID 3052 wrote to memory of 916	3052	e51e3213170f8187d055124fe663122a24c9663e33ca26fefc0c0f30f6593d9d.exe	86
PID 916 wrote to memory of 4148	916	Dphifcoi.exe	87
PID 916 wrote to memory of 4148	916	Dphifcoi.exe	87
PID 916 wrote to memory of 4148	916	Dphifcoi.exe	87
PID 4148 wrote to memory of 4712	4148	Dcfebonm.exe	88
PID 4148 wrote to memory of 4712	4148	Dcfebonm.exe	88
PID 4148 wrote to memory of 4712	4148	Dcfebonm.exe	88
PID 4712 wrote to memory of 3764	4712	Djpnohej.exe	89
PID 4712 wrote to memory of 3764	4712	Djpnohej.exe	89
PID 4712 wrote to memory of 3764	4712	Djpnohej.exe	89
PID 3764 wrote to memory of 2036	3764	Dlojkddn.exe	90
PID 3764 wrote to memory of 2036	3764	Dlojkddn.exe	90
PID 3764 wrote to memory of 2036	3764	Dlojkddn.exe	90
PID 2036 wrote to memory of 3944	2036	Domfgpca.exe	91
PID 2036 wrote to memory of 3944	2036	Domfgpca.exe	91
PID 2036 wrote to memory of 3944	2036	Domfgpca.exe	91
PID 3944 wrote to memory of 648	3944	Dakbckbe.exe	92
PID 3944 wrote to memory of 648	3944	Dakbckbe.exe	92
PID 3944 wrote to memory of 648	3944	Dakbckbe.exe	92
PID 648 wrote to memory of 4100	648	Efgodj32.exe	93
PID 648 wrote to memory of 4100	648	Efgodj32.exe	93
PID 648 wrote to memory of 4100	648	Efgodj32.exe	93
PID 4100 wrote to memory of 4412	4100	Ehekqe32.exe	94
PID 4100 wrote to memory of 4412	4100	Ehekqe32.exe	94
PID 4100 wrote to memory of 4412	4100	Ehekqe32.exe	94
PID 4412 wrote to memory of 4584	4412	Epmcab32.exe	95
PID 4412 wrote to memory of 4584	4412	Epmcab32.exe	95
PID 4412 wrote to memory of 4584	4412	Epmcab32.exe	95
PID 4584 wrote to memory of 4644	4584	Eckonn32.exe	96
PID 4584 wrote to memory of 4644	4584	Eckonn32.exe	96
PID 4584 wrote to memory of 4644	4584	Eckonn32.exe	96
PID 4644 wrote to memory of 4804	4644	Ebnoikqb.exe	97
PID 4644 wrote to memory of 4804	4644	Ebnoikqb.exe	97
PID 4644 wrote to memory of 4804	4644	Ebnoikqb.exe	97
PID 4804 wrote to memory of 3388	4804	Ehhgfdho.exe	98
PID 4804 wrote to memory of 3388	4804	Ehhgfdho.exe	98
PID 4804 wrote to memory of 3388	4804	Ehhgfdho.exe	98
PID 3388 wrote to memory of 3320	3388	Eoapbo32.exe	99
PID 3388 wrote to memory of 3320	3388	Eoapbo32.exe	99
PID 3388 wrote to memory of 3320	3388	Eoapbo32.exe	99
PID 3320 wrote to memory of 468	3320	Ebploj32.exe	100
PID 3320 wrote to memory of 468	3320	Ebploj32.exe	100
PID 3320 wrote to memory of 468	3320	Ebploj32.exe	100
PID 468 wrote to memory of 688	468	Ejgdpg32.exe	101
PID 468 wrote to memory of 688	468	Ejgdpg32.exe	101
PID 468 wrote to memory of 688	468	Ejgdpg32.exe	101
PID 688 wrote to memory of 4856	688	Eleplc32.exe	102
PID 688 wrote to memory of 4856	688	Eleplc32.exe	102
PID 688 wrote to memory of 4856	688	Eleplc32.exe	102
PID 4856 wrote to memory of 3932	4856	Eqalmafo.exe	103
PID 4856 wrote to memory of 3932	4856	Eqalmafo.exe	103
PID 4856 wrote to memory of 3932	4856	Eqalmafo.exe	103
PID 3932 wrote to memory of 4688	3932	Ecphimfb.exe	104
PID 3932 wrote to memory of 4688	3932	Ecphimfb.exe	104
PID 3932 wrote to memory of 4688	3932	Ecphimfb.exe	104
PID 4688 wrote to memory of 3616	4688	Ejjqeg32.exe	105
PID 4688 wrote to memory of 3616	4688	Ejjqeg32.exe	105
PID 4688 wrote to memory of 3616	4688	Ejjqeg32.exe	105
PID 3616 wrote to memory of 4084	3616	Elhmablc.exe	106
PID 3616 wrote to memory of 4084	3616	Elhmablc.exe	106
PID 3616 wrote to memory of 4084	3616	Elhmablc.exe	106
PID 4084 wrote to memory of 2552	4084	Eofinnkf.exe	108

C:\Users\Admin\AppData\Local\Temp\e51e3213170f8187d055124fe663122a24c9663e33ca26fefc0c0f30f6593d9d.exe
"C:\Users\Admin\AppData\Local\Temp\e51e3213170f8187d055124fe663122a24c9663e33ca26fefc0c0f30f6593d9d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\Dphifcoi.exe
  C:\Windows\system32\Dphifcoi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SysWOW64\Dcfebonm.exe
    C:\Windows\system32\Dcfebonm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\SysWOW64\Djpnohej.exe
      C:\Windows\system32\Djpnohej.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4712
    - - C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3764
      - C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4084
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4716
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        25⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        26⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        28⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5040
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4440
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3292
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2496
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        45⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        46⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        47⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4336
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1424
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        52⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        53⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        54⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3140
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        57⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        63⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        67⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        68⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        69⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1444
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4368
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3896
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        75⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        76⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        77⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        79⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        82⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        84⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        86⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        87⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        88⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5768
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        90⤵
        Modifies registry class
        
        PID:5816
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        93⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        94⤵
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        95⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        96⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        97⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        98⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        99⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5264
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5412
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        103⤵
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5544
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        108⤵
        Drops file in System32 directory
        
        PID:5868
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        109⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        110⤵
        Drops file in System32 directory
        
        PID:6080
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5324
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        115⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        116⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        119⤵
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5532
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        122⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5952
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        125⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5984
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5368
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        129⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        130⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        131⤵
        Modifies registry class
        
        PID:6200
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        133⤵
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6416
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        136⤵
        Modifies registry class
        
        PID:6480
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        139⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        141⤵
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        142⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        143⤵
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        144⤵
        Drops file in System32 directory
        
        PID:6864
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        145⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        146⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 412
        147⤵
        Program crash
        
        PID:7052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6972 -ip 6972
1⤵
PID:7000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
96KB

MD5
d15fc44ac0581e81640a238a6f9273ab

SHA1
fdfb3754bca35f5f887217d14b22c6058e0afe8c

SHA256
074062db265aacb85b30c07cc227ebfdd24c140b81717cdfd9e05e04aaab66fb

SHA512
fe358d1020778c14b97ad3a1ee42a8eeb238d99f973ab9f000f95d6660fd94d41f692db76d37d7c2d7fd1002cd7bd253720cdfc7d25f753ce25522965475ad2c

Download Submit
C:\Windows\SysWOW64\Dbppbgjd.dll

Filesize
7KB

MD5
f6a234547efdc1e8719e633b9b7142b2

SHA1
6054ab7732f09ebbd0d16ec5a0c1390aa71c0bde

SHA256
c378443b95044441b6de51c3d702f770095acc999d59c82f277d48fdd733483d

SHA512
27c00047bbaae80626f3ecd0395652ecd4557e2623e8cd30dea2ac728a69e5e3864e11cbe39192796e84953090f5d1088f6c80b915a1daf512f87da6c40e5760

Download Submit
C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
96KB

MD5
4504e3eb91eb3da0ce847e98dedde457

SHA1
9d83f8bd31bf8d42fa6533d4fdd1a623db6deca8

SHA256
5c6a7b570be54a9835e1019cf0909178f40daeddec488af5f6d49fe0cce898d0

SHA512
5a9402b24e0c7a5ef0305029aa310a5ae16fe5a9fa7951865c47741d33d958d3d1ee9fd3a82e540bfd2ffa7ffbcbd9dd66437218134ff290c3e7ca55b19acac8

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
96KB

MD5
17df8cc240609718f5e0784dceece8d7

SHA1
edaf1d93145ae23165a256bc248f9f81beefc77f

SHA256
c36b68f823769de41e209b7b4412519e3a1048155085ca7a530b5b2df72f7d4a

SHA512
42f9e91360394db0aeb2b3490d4f4a55d81998f7328dbe2a1a094b80465bb4e8fdd1fd6e8b7a7038625485b689658d32216fc493be10febe6fce5c02990e0735

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
96KB

MD5
8beaee050a20410b32f7c13743c17bbf

SHA1
0f3386db88607dd878d86b477cc9de5a23932c2a

SHA256
9b2fe76463659d6b74470eabda78f68bef4b64a19201f78ec267c02d153288d3

SHA512
49a6068a3777d277382cd20117b0469912f7d38478e31cbea3b58ce4703231bb2de0dd8682c95b179cf4b90ae83438c625850883ce3d802227383e4c8cef8ed6

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
96KB

MD5
8d1d16de1177f9ba62a58262ef626a91

SHA1
1fcf562265994aebf176967fb34712afe50fc957

SHA256
7146cd14f5b23f7d3e3081890011451848a1c102253776e9aa99bcad5f8d1d5c

SHA512
d27d7b336ff934bd449f060d2e5ab064e6fadc5336e77b42c612ff6046b1fff12fd9050eaeb08c591f0de42cc18cba5c392b61e50a627cd51d0a95da1e576dd0

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
96KB

MD5
1e8f6415ebbad3444a0d3970cf70e7ab

SHA1
66ed4c0aa4a8d2c5fa8dd173518890bc0becb43c

SHA256
306c8bea1aeef351b371bbe50179181dc3bcdc652e3755087489fc56e23ca5c1

SHA512
ecbe240c2036a89dcd68a321aaf7860068eba0f68a3151aed6169fb948c723041cfa289c259b283376d3859970d04c5aed73ab75d16ec31d6482a54001a3ebfe

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
96KB

MD5
3957f9d1d23557c1fd9b5c560c675d54

SHA1
d1ca78b9936ccb85b4061eea1ef8b5abc4d05583

SHA256
04fca5760c4fc0047b7d266dd3c66eeada3c9fb7d1e87b5f321f136037cc803c

SHA512
9c42cda291f95463ef44a0d5891338fb6216839319b8bc70838e8671534ab5753886c53c11820b85c54922919654abddda18b7ae070514345f9dd224af880a3e

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
96KB

MD5
60def4fad2aa6027bf2ee9aa9ed335af

SHA1
b1f83ef6ffa7ebdd12305fb70ca4502dfca95e80

SHA256
ee8f032e6587072bea665c2fc5facf7fc0f46e35ad9b4eef127c3f478a5056c3

SHA512
468403bd285d8eeb3121ec2e3555aea14e08f71b40b053e5cd8a127121ff53f67d612fb2cc78d48bc9ffa91582b481a93b79cec74c78c4913a6aedd24083bdc9

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
96KB

MD5
427da6e9244c8fd1827151b3f50bd4d9

SHA1
74ec3e62dadd52a3fb836c791d90e9a6564b77ae

SHA256
04b8001b04cd0722b2c6b267e285c5095cd962c0132cc2f3cbd7592e5a275d99

SHA512
c1cd1700b7f3be703ad1924a19d5b893cfdbee12b0fb52ad704fba17b5e2e98cd5a5df9b7b54c3e299414f65de3f802fb457db11e2e20aca43e1a53ce862f759

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
96KB

MD5
c09d4f315e2c186c27d2e1dad018bf5d

SHA1
570fb19efae89a8f4bd518531964eff8b592b33b

SHA256
3c0dd7121c763484aa52a99f31ce9b2384feffc01e607cbc1855a6226c49ef6f

SHA512
dc05a27a48afa77167dda64ae9b32dbe82d58a1bc185eca9eb4a59a03d4a16ff092672344613e66ad63709e58753a250916581f9ea8ca17838379c5e4fa3befb

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
96KB

MD5
39b79d13af717e829bdc86c7d4235472

SHA1
82b5487300bef85fc4e03919cda4388c7876bc48

SHA256
b92d65fae55e2a35bc16da056e4e3b036a0c6489739753e3f7e568b14363e988

SHA512
24404b4176244effdef864e548bc09a55d99eaaac484cebc0cb0aeb1f5f11a9f658b0565682ee508f285429c662e675369a3faa419a61cca2d72077453e8755f

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
96KB

MD5
e1bf00160953bab1c21f961c22fca3ab

SHA1
0fe5b2533444f145473a025f6d095301f1413d85

SHA256
2ba25410e1ab59eef80f5da2a5ed11bbd54725a3ba0cf5822f56529c79d6a1c7

SHA512
1eb0f45af6e1d6c26cc2f9d8f362b1a1ff93c2fd43c88ac7dbc7344fb88c7fb96c7de1a937a6ea24fd0731985919b846a8310361389ad98c85dfee03d253e489

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
96KB

MD5
5264a901dff61f950838499bf5610a8c

SHA1
24bc8ea3d1106cac6753c01d5f19c3d665815410

SHA256
f834337bcf4bd73ec0db8b4535d87ce6715afb123b7e79ef37ab0e240fcc1984

SHA512
a76d8b06a21b7f8428439eae2d8706adfe28448aa2cdbc8cf65e4c0f47a2f9c269e8465ed9ab54847c1cf368c383c609390e2728102493df74df370056b2f412

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
96KB

MD5
464893d3cdedee695b155308ed11c731

SHA1
e9709415b5e0fe8a3bc7494405bb790c0a8ea991

SHA256
715939c3dfda760c1ab74244dd7a71300451a59e3d5388bfb03f257692bbfba9

SHA512
e229877759fc5bc6e1375c88e302a3d1edb7e538d2b52227e43411abf749a29f29afa2c00183aa6ea9e66275e26e8a7f31bc57d649c8cfda8b8357f85c2f83fe

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
96KB

MD5
4b06067aebfb1ead7ba1998895609a81

SHA1
624f4093452886f37d5d35bd38e11fd8744860db

SHA256
ba5436441a8a93218e4578a7e331ce701bbfa9fffab9798ed7d9326482bdb3d5

SHA512
322a795a7db6d0d2dd6d434b34f2e3c01c54102276837bcbc3d27656fbb1b665405ed4d8db1314e92a386c7fc58fbc6f37372019b729d911e330dee14229a4e7

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
96KB

MD5
59edfe766f7e3963a50c434d5a50e040

SHA1
9d3e7cea70328edfea934145e3db8922b05ddeb0

SHA256
dad3c86092e02660de7d9b175004754c2e2542fda984c13dfdf1df0810fd5b46

SHA512
3e73b1a375b18ea5f54de26450490b8ed868fd2bfc36db388639e78072940289c56543abafb7291de16be17fcb753f7822853e91de58df1440779c5393900445

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
96KB

MD5
8b0cc263599b29baea812402071a7ef5

SHA1
ae52cc85b007e87b1273935b6aed81da1e2af2eb

SHA256
7e330a59af5f8d7120bd89dbd1174573d8106518523333600b09215245895710

SHA512
0881eb5ebdd7898e9637618eab05973ee9a0bb7639513b86953efa286bd2e92348da14005494f8c29207057961ef44dc9405525098fc9b161619086cb886e6d9

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
96KB

MD5
b5df5973d58d656d258d2782b893b3cc

SHA1
e88275b1478a83b3af33f3e380bbbcd6af2b2370

SHA256
f2ab4cc05bd8c0775a3ae01e1739cbdbca71b724c822550a20699a70e03caa95

SHA512
d47be4217621966f33dd3c59446fe800fe4821d725669b39c0ccd4fe549d98db240df5317154c7e5ddd854eb914642b09689c961cd4c813653c3c4a1e0935d2d

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
96KB

MD5
2c190b9912f073d2e4037f00f677a7ce

SHA1
81eb8fe1c4d2b38cc8f62e11b0f968e69cf48005

SHA256
c59767432af684e6462f222421d13c7f45c34dbd8466b20ace8e0aa775872982

SHA512
00b73ee47d70ceee4d878f6790dd8a09ec48a61b973a019e4ad648cfaba21d0ad08f2a0a6fb7b79ad42098abbec2701e656b9839efd82deb3b0e1311fbff7f1e

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
96KB

MD5
5970f22d8da6455d8227fe4943c6dc1d

SHA1
25d24ddde20c927711c4d1f6b2919426b027da70

SHA256
23d1e373b004f0b6380cb1890486bce41cd5efdd1aa78ab0e990fd1af5080fd3

SHA512
3a47cfff7df9fc42ef4d8001baccf77fb4fc0855bf91b96d99f3b82a2f42664be714e98f0049920097327b8b5b073dd9263f8625ca5812a287c67703639b3ce7

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
96KB

MD5
cd20274a60ea45bd95154f7402614e8b

SHA1
64f944e9ea5c9861f3ed3568f0b3bc55570177a1

SHA256
7b1f345c79c5f232b1015f9514838158d576c7f7c6bb62bd97ad67425042415a

SHA512
107d20785d134ffb37fa2471629d72cb6e57bb1d670f969ab9188692dafc2f078dc62ae2ae5eab2bcc490ad848f40f6bf2bc06c9e620905f0f7c2cb63800558e

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
96KB

MD5
a10e91bb2fe04b3a503f8d447480733b

SHA1
d8c40c2feb047db89f93efaf59c183dc76ae48c9

SHA256
040816869d9462b30ede67c0d367dfbedd24afd28ec3f4b4e84b95f28c3cd314

SHA512
6c08777b9ef4cce7b9bbb28749a6ee8682dd4f9f764114e5ac486a446c4df0a266546d2fb379a1a8e97d2556c06771dec3e90825e460d69292bf605fb7151c8b

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
96KB

MD5
00986f27a6bd112aeac6079000a56f80

SHA1
7b11f80d55baeb97b79d18d3541f4e882b46c844

SHA256
c2ddfb60529d4f470436090d6959aa57d0b3d18bb5104e4456479bcd48b2c075

SHA512
85ef14d1d08118f1874391fc2c0cc1cb56d93b9c0404540f453ebad1d04d18cccdac0c895a5b815a652dd8be67c6a442fb2c721a746871dc85a5b8a60164f1b9

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
96KB

MD5
77e325bfe9d942c886633da7a960298a

SHA1
6520543b3b82421b58c952008bc02d21e17fbe2e

SHA256
13731b453059bc51209496b9faff9d33f61de785762a12e90381d2d4602d8eda

SHA512
061c1a5ec6414095d52ebdbd85aa8cc06f680d216aa9690cc7b57d6face95144326c9693805a061c66fffb9d0d0b1192cbeec6cfcede7ef53c1fe6b7e27bc729

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
96KB

MD5
43b61af9d3655e33bfed9f8f18ac9bc5

SHA1
476d6b6869ef949ab8422ee795f4a4f6082e173d

SHA256
0fda8748ab9995bfc4a85a08c74c617da487564503da27a7dd37b5b6eeb1fe8c

SHA512
ea3579da3dd4fd8828ecb271485279490d76ca639376af499ec6936e427f24bf1d4a5f65d46bfd0a8cd22acbcc49b215851e62f76e2df417cabeef0332029016

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
96KB

MD5
66e46e2016fb94315b79975c4810d143

SHA1
437fe5887d6592a15ac6724849293ce737c81d7c

SHA256
edad8c5d322fab4e9e12193dba10de24431e8ad3bde55e4cae9f94bfd890561f

SHA512
c66b0160ae1afa0aacc584259cde55b90a507c119dac4a05d8b52479fe099de01f2fa17247730f8d3fa94d4a3b536f5ac8eff11b7752e7e66ef913e0e6112fbf

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
96KB

MD5
7aa9aba13f12b5496e7c6626872b0ef6

SHA1
f3f5f2ee72fac0e180e0491f0049e7e39eb9ecaf

SHA256
171f60b8c479b4e2f07420ff81ad9fb8a20f44b828e1d8ea6b90817f678f9df7

SHA512
9b075232d904eb892d3db4e64ad6861dc38712355dba1fa7d2912119ebb516115e6e1b515c17f978d2888e0f6999377e60346b3dd20a7560a298f84f7767771a

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
96KB

MD5
edc1d2465d6ac0bb1151116fb7b67653

SHA1
7f3d75f3dadf72d80a3afd1b350c49d6f8be1345

SHA256
7c6d2a5bbefa7c1495dc6a73e4dc4d544bee5da2dbbfed8a9e70c601a313a1c2

SHA512
6c29911da716a985b881d281cdba49a372053b3abd53742834075e17cdf103f5e586400df41989f5b78f8e71dbcf33e14cf8e7700877cb8007b57a7a3d35a57b

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
96KB

MD5
886bd9f07066d1133ad2e298c8cf3303

SHA1
6ea02399432ef7477572a38098d70d1d6f0a07c3

SHA256
ed4848592150e23a234f7154b7388cabfd85706ce455aa5bd22c949ca650b68c

SHA512
d9a03237ad4e1f198b72c7253d331f3f5e5f2a7bc5268aa8188fb9e9cfde5a577ba234c5361b871fc2ceeda1eb8c1ba58e4a44adbfccf4cbb4d4bb23dbbdac63

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
96KB

MD5
ca1b77bb0e1d2b10768025c01715fcca

SHA1
05fd65ca31ff84df44e39ee72c0432cb648588e7

SHA256
5c0568704f878de43504b7be85f6e95858cde961176cd679eea5328829e50d52

SHA512
04b6159d2fd437f4d0cbe9b12ab90b133c54b57c589c278fe3c3ad4a2bd8fe1f189653c958530a73903cb89a9fc5ef4edce169e1bf7c54803cb95865441fc0b4

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
96KB

MD5
ee3b73a22904061e47629601d72c325a

SHA1
7da3c7285b002f6ec13d6e2e5830a67a6d934615

SHA256
e095cd84eab8f936e49042c4d215ce9e93d4b1b3619fda09063d537616fe3854

SHA512
012dfc9f8696ee5c2f18e7420eb32e0e43d7adb089362084d70d30bd9046b72880f393fe1c085725679db36d5c7069a692048ed8ee536485974352e88106fa55

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
96KB

MD5
9e4ec883a0c954dd4cc95ada1b258a95

SHA1
5762053c033fc3e1c25fa5f905af125afabdbef3

SHA256
a34d2b15af9bd880859542beab18e50ec8c7664d6deb897d6db09a388b280b69

SHA512
2b186e39fa9769710c379a3c82d51418b6f039c4625e6453560ab9f9688b2c1778cb7ef1839fa77e8fff07b9be8abd0dc9f9a2291002f5c79563b29168857cf1

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
96KB

MD5
f6196bca6a82465997a8fb32b7f136c1

SHA1
05dd411b7d7ad3cfa6dbc845a4c96f200b1cf080

SHA256
b5a34ca58f8dc740fb7f039e43bae37f78de5f46638f180c5dd05c319bb1f783

SHA512
16a36c486031ca228e1bf785499047260f5688a6bbcda8b3ef12f9e3135f5979aecbae28a84db0b0b09e4643e82fbcbe44ef2b32db240f09e08a103c94ad470c

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
96KB

MD5
4803bb69b4ab7a48d0aa6867e776a536

SHA1
e47f76a646bcaecdbf49ac7735a99e28195a042d

SHA256
5e8ab09e2c50526ac223bbbca868db3a5c6da9a15e9776fc7522155b15c088c7

SHA512
2188abe13d8888cef55812c1a1af2e6409d13a69e8ab563bfd8f39c30a7ac05a049db4cde7738ef7e7d7095f5e41d990d9e147b5a24a4147ba0a5d4763657ef5

Download Submit
memory/380-228-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/468-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/556-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/648-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/688-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/872-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1072-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1084-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1140-357-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1224-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1352-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1424-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1468-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1600-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1728-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1828-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1856-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2036-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2216-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2348-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2496-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2516-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2544-376-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2568-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2904-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3140-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3292-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3320-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3340-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3360-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3388-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3616-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3652-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3764-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3904-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3932-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3944-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4084-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4100-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4148-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4200-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4288-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4336-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4360-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4412-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4440-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4516-214-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4572-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4644-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4688-156-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4692-382-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4712-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4716-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4804-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4812-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4856-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5036-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads