b8b51c2e555189c97cac6f56c3d4314b3131f243b236cbb380eb9ea88ac06806

Analysis

max time kernel
136s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8b51c2e555189c97cac6f56c3d4314b3131f243b236cbb380eb9ea88ac06806.exe
Size

107KB
MD5

061a788c7e95d125ce662f49a610fd02
SHA1

ebb05bd904c581a2c2c661c18cb8cfc1ac300555
SHA256

b8b51c2e555189c97cac6f56c3d4314b3131f243b236cbb380eb9ea88ac06806
SHA512

e00e268f94ce2c2243fa0356c1c6299112baa2c6992464b4133d09cdccd4568f6c613ca18047b4ff946b450524e22b2efd85aef84544e2de0a6913d76840074d
SSDEEP

1536:pP0RAAB1Trj03Lx5g/dtcP8ClX2L5aIZTJ+7LhkiB0MPiKeEAgHD/Chx3y:pPOAABRU7x5g/dtUj85aMU7uihJ5233y

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfcpncdk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giacca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpgkkioa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hihicplj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe

Executes dropped EXE 64 IoCs

pid	Process
2432	Epmcab32.exe
4344	Eckonn32.exe
668	Efikji32.exe
1104	Ehhgfdho.exe
1388	Eoapbo32.exe
4520	Eflhoigi.exe
4916	Eqalmafo.exe
1996	Eodlho32.exe
2108	Efneehef.exe
1984	Ehlaaddj.exe
4088	Ecbenm32.exe
1344	Ebeejijj.exe
1080	Ejlmkgkl.exe
1048	Ecdbdl32.exe
4616	Fbgbpihg.exe
3580	Fhajlc32.exe
4228	Fcgoilpj.exe
704	Ficgacna.exe
3232	Fomonm32.exe
1004	Ffggkgmk.exe
4948	Fifdgblo.exe
1712	Fqmlhpla.exe
3988	Fopldmcl.exe
3000	Fbnhphbp.exe
2312	Ffjdqg32.exe
1116	Fqohnp32.exe
4636	Fobiilai.exe
2268	Fcnejk32.exe
2300	Fflaff32.exe
4348	Fjhmgeao.exe
936	Fijmbb32.exe
1016	Gjjjle32.exe
3104	Gogbdl32.exe
3636	Gbenqg32.exe
1316	Gfqjafdq.exe
1928	Giofnacd.exe
2560	Gmkbnp32.exe
436	Gbgkfg32.exe
2372	Gfcgge32.exe
4984	Giacca32.exe
2620	Gpklpkio.exe
4084	Gidphq32.exe
3520	Gqkhjn32.exe
1008	Gcidfi32.exe
3712	Gjclbc32.exe
4892	Gifmnpnl.exe
1932	Hboagf32.exe
3516	Hfjmgdlf.exe
4896	Hihicplj.exe
5104	Hapaemll.exe
1552	Hpbaqj32.exe
2636	Hfljmdjc.exe
2820	Hmfbjnbp.exe
3460	Hcqjfh32.exe
4720	Hbckbepg.exe
2528	Hjjbcbqj.exe
944	Hpgkkioa.exe
5020	Hccglh32.exe
3140	Hjmoibog.exe
644	Haggelfd.exe
624	Hpihai32.exe
5076	Hbhdmd32.exe
2160	Hfcpncdk.exe
3132	Hibljoco.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hibljoco.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Jpgdbg32.exe
File created	C:\Windows\SysWOW64\Cqncfneo.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ampkqqjm.dll	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Fbgbpihg.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Haggelfd.exe	Hjmoibog.exe
File opened for modification	C:\Windows\SysWOW64\Hbhdmd32.exe	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gfcgge32.exe
File opened for modification	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kipabjil.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Fcnejk32.exe	Fobiilai.exe
File opened for modification	C:\Windows\SysWOW64\Hibljoco.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kpjjod32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Gogbdl32.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Peeafpaf.dll	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Giofnacd.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Mlilmlna.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fifdgblo.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gjjjle32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Giofnacd.exe
File opened for modification	C:\Windows\SysWOW64\Jdemhe32.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Mfpoqooh.dll	Jdmcidam.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Jaimbj32.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Iifpphha.dll	b8b51c2e555189c97cac6f56c3d4314b3131f243b236cbb380eb9ea88ac06806.exe
File created	C:\Windows\SysWOW64\Fqohnp32.exe	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Jbfpobpb.exe	Jpgdbg32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6484	6640	WerFault.exe	286

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagmapfi.dll"	Ebeejijj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgohg32.dll"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnkcb32.dll"	Imihfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjjbcbqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hccglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b8b51c2e555189c97cac6f56c3d4314b3131f243b236cbb380eb9ea88ac06806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll"	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjbcbqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fojkiimn.dll"	Ipqnahgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifegaglc.dll"	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pellipfm.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfkkgo32.dll"	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofddb32.dll"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 2432	928	b8b51c2e555189c97cac6f56c3d4314b3131f243b236cbb380eb9ea88ac06806.exe	83
PID 928 wrote to memory of 2432	928	b8b51c2e555189c97cac6f56c3d4314b3131f243b236cbb380eb9ea88ac06806.exe	83
PID 928 wrote to memory of 2432	928	b8b51c2e555189c97cac6f56c3d4314b3131f243b236cbb380eb9ea88ac06806.exe	83
PID 2432 wrote to memory of 4344	2432	Epmcab32.exe	84
PID 2432 wrote to memory of 4344	2432	Epmcab32.exe	84
PID 2432 wrote to memory of 4344	2432	Epmcab32.exe	84
PID 4344 wrote to memory of 668	4344	Eckonn32.exe	85
PID 4344 wrote to memory of 668	4344	Eckonn32.exe	85
PID 4344 wrote to memory of 668	4344	Eckonn32.exe	85
PID 668 wrote to memory of 1104	668	Efikji32.exe	86
PID 668 wrote to memory of 1104	668	Efikji32.exe	86
PID 668 wrote to memory of 1104	668	Efikji32.exe	86
PID 1104 wrote to memory of 1388	1104	Ehhgfdho.exe	87
PID 1104 wrote to memory of 1388	1104	Ehhgfdho.exe	87
PID 1104 wrote to memory of 1388	1104	Ehhgfdho.exe	87
PID 1388 wrote to memory of 4520	1388	Eoapbo32.exe	88
PID 1388 wrote to memory of 4520	1388	Eoapbo32.exe	88
PID 1388 wrote to memory of 4520	1388	Eoapbo32.exe	88
PID 4520 wrote to memory of 4916	4520	Eflhoigi.exe	89
PID 4520 wrote to memory of 4916	4520	Eflhoigi.exe	89
PID 4520 wrote to memory of 4916	4520	Eflhoigi.exe	89
PID 4916 wrote to memory of 1996	4916	Eqalmafo.exe	90
PID 4916 wrote to memory of 1996	4916	Eqalmafo.exe	90
PID 4916 wrote to memory of 1996	4916	Eqalmafo.exe	90
PID 1996 wrote to memory of 2108	1996	Eodlho32.exe	91
PID 1996 wrote to memory of 2108	1996	Eodlho32.exe	91
PID 1996 wrote to memory of 2108	1996	Eodlho32.exe	91
PID 2108 wrote to memory of 1984	2108	Efneehef.exe	92
PID 2108 wrote to memory of 1984	2108	Efneehef.exe	92
PID 2108 wrote to memory of 1984	2108	Efneehef.exe	92
PID 1984 wrote to memory of 4088	1984	Ehlaaddj.exe	94
PID 1984 wrote to memory of 4088	1984	Ehlaaddj.exe	94
PID 1984 wrote to memory of 4088	1984	Ehlaaddj.exe	94
PID 4088 wrote to memory of 1344	4088	Ecbenm32.exe	95
PID 4088 wrote to memory of 1344	4088	Ecbenm32.exe	95
PID 4088 wrote to memory of 1344	4088	Ecbenm32.exe	95
PID 1344 wrote to memory of 1080	1344	Ebeejijj.exe	96
PID 1344 wrote to memory of 1080	1344	Ebeejijj.exe	96
PID 1344 wrote to memory of 1080	1344	Ebeejijj.exe	96
PID 1080 wrote to memory of 1048	1080	Ejlmkgkl.exe	97
PID 1080 wrote to memory of 1048	1080	Ejlmkgkl.exe	97
PID 1080 wrote to memory of 1048	1080	Ejlmkgkl.exe	97
PID 1048 wrote to memory of 4616	1048	Ecdbdl32.exe	98
PID 1048 wrote to memory of 4616	1048	Ecdbdl32.exe	98
PID 1048 wrote to memory of 4616	1048	Ecdbdl32.exe	98
PID 4616 wrote to memory of 3580	4616	Fbgbpihg.exe	99
PID 4616 wrote to memory of 3580	4616	Fbgbpihg.exe	99
PID 4616 wrote to memory of 3580	4616	Fbgbpihg.exe	99
PID 3580 wrote to memory of 4228	3580	Fhajlc32.exe	101
PID 3580 wrote to memory of 4228	3580	Fhajlc32.exe	101
PID 3580 wrote to memory of 4228	3580	Fhajlc32.exe	101
PID 4228 wrote to memory of 704	4228	Fcgoilpj.exe	102
PID 4228 wrote to memory of 704	4228	Fcgoilpj.exe	102
PID 4228 wrote to memory of 704	4228	Fcgoilpj.exe	102
PID 704 wrote to memory of 3232	704	Ficgacna.exe	103
PID 704 wrote to memory of 3232	704	Ficgacna.exe	103
PID 704 wrote to memory of 3232	704	Ficgacna.exe	103
PID 3232 wrote to memory of 1004	3232	Fomonm32.exe	104
PID 3232 wrote to memory of 1004	3232	Fomonm32.exe	104
PID 3232 wrote to memory of 1004	3232	Fomonm32.exe	104
PID 1004 wrote to memory of 4948	1004	Ffggkgmk.exe	106
PID 1004 wrote to memory of 4948	1004	Ffggkgmk.exe	106
PID 1004 wrote to memory of 4948	1004	Ffggkgmk.exe	106
PID 4948 wrote to memory of 1712	4948	Fifdgblo.exe	107

C:\Users\Admin\AppData\Local\Temp\b8b51c2e555189c97cac6f56c3d4314b3131f243b236cbb380eb9ea88ac06806.exe
"C:\Users\Admin\AppData\Local\Temp\b8b51c2e555189c97cac6f56c3d4314b3131f243b236cbb380eb9ea88ac06806.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\SysWOW64\Epmcab32.exe
  C:\Windows\system32\Epmcab32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\Eckonn32.exe
    C:\Windows\system32\Eckonn32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\SysWOW64\Efikji32.exe
      C:\Windows\system32\Efikji32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3988
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        27⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2268
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        31⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        32⤵
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        34⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        38⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        39⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        43⤵
        Executes dropped EXE
        
        PID:4084
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        44⤵
        Executes dropped EXE
        
        PID:3520
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        46⤵
        Executes dropped EXE
        
        PID:3712
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        48⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        49⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        51⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        52⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        56⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        63⤵
        Executes dropped EXE
        
        PID:5076
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        67⤵
        Modifies registry class
        
        PID:796
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        69⤵
        Drops file in System32 directory
        
        PID:4180
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        70⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3504
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        72⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        73⤵
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        77⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        78⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        79⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        80⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        81⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:692
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        83⤵
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        84⤵
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        85⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        86⤵
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        87⤵
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        88⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        89⤵
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4904
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5176
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        93⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        94⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5300
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        96⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        97⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        98⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        99⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        100⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5572
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        103⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        105⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        106⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        108⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        110⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        111⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        112⤵
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        115⤵
        Drops file in System32 directory
        
        PID:5184
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5240
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        117⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        118⤵
        Drops file in System32 directory
        
        PID:5388
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        119⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5556
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        122⤵
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        123⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        124⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        125⤵
        Modifies registry class
        
        PID:5956
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        126⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        127⤵
        Drops file in System32 directory
        
        PID:6092
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        130⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5788
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        134⤵
        Drops file in System32 directory
        
        PID:5876
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        135⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        136⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        137⤵
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        138⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        139⤵
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        140⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        141⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        142⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5124
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        144⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        145⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        146⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        147⤵
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        148⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6392
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        150⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        151⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        152⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        153⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6612
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        155⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        156⤵
        Modifies registry class
        
        PID:6704
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        158⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        159⤵
        Modifies registry class
        
        PID:6848
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        160⤵
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6932
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        162⤵
        Modifies registry class
        
        PID:6968
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7012
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7060
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        165⤵
        Modifies registry class
        
        PID:7108
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        166⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        167⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        168⤵
        Drops file in System32 directory
        
        PID:6276
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        169⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        170⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6520
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6588
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        173⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        174⤵
        Modifies registry class
        
        PID:6728
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6800
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        176⤵
        Drops file in System32 directory
        
        PID:6876
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6976
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7040
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        179⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        180⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        181⤵
        Drops file in System32 directory
        
        PID:6264
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        182⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6448
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        183⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6516
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        184⤵
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        185⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        186⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6928
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        187⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7028
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        188⤵
        Drops file in System32 directory
        
        PID:7144
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        189⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6380
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        190⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6560
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        191⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6756
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        192⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6984
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        193⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7128
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        194⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        195⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        196⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        197⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 408
        198⤵
        Program crash
        
        PID:6484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 6640 -ip 6640
1⤵
PID:6548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
107KB

MD5
8e6de86e721dc5978eb7dffb18db92ce

SHA1
0932ad6009d795a9399848e26eb95233516d80d1

SHA256
74dca45cc51a6300bb9d5f18468eae6c9af0709646ddcf83fc3ff6b27edd761a

SHA512
14d8f8f980f5538b5edf0eae24d2612c2e313604fc2c5d6784af4e03d358254269664b26f65dc6ecba9687cdb44288d2c873b096011ea15ba805dd27d67ef87e

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
107KB

MD5
9d8996e95927101fc6fb636ef0fd22e4

SHA1
60ba0119036ae1cab500fc538ac24cf2081c35da

SHA256
883fe4461eb253c200a3707b50881dc85b1717235ef82af26951e7b4a4f4ae0f

SHA512
3df3918f21058f1ae7cc25198266336579dbfd01359c656983058eb66c9e92cc6c174561cb5fa692b452053956e0bc40399712c176598e7d34d5b97d693aae31

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
107KB

MD5
1c0bf5c527f9a589e269e609af1354e2

SHA1
d95b1467a8ac670b10fb55ed988d41df83e24e84

SHA256
1c0b8caa600b9c71b1e77393f691033a8e63a5903ee1640b8020bc7a3e845fae

SHA512
8445aa7b873e2035475e81ffe4bdf7f5a6f5bb7bab11a285bf650220d0d31fbf912b369cb0fdfa17c5bf5491120c889031432b5644c24cd5753883d85b0f126c

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
107KB

MD5
d29a777457fd3fafefb69f8b2e4cf2e7

SHA1
e1420c2a742b8961a0184f37bc66314cb3ff2283

SHA256
9d126e27757d23672415fb845250ef60b839381ea4485c3559f2d5035c94117d

SHA512
603b0024aab43139f52d6bdf5f74573ad173f04ee9badd7ec107651232cf3fab0e3532afdc8abf52cf92813610f1fb52d6376639b37f59c64dadeb930d3696bf

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
107KB

MD5
e291239ec1747930d67ad5a4e14f317d

SHA1
c21717e7d62a3dcb83bed175b3b7215270066840

SHA256
b62142b9803a8f33ede31bdd53043afaad6110e8d73c4af4ba73033ccca9b966

SHA512
0014da864b960414560ea2d536e1b16440d486bbebd055b0c29c2f3d5f426e35fc1fe30e324a85ac65b25849814c66093e1a8c67cee8a0cfe7bc1b1013ad7862

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
107KB

MD5
5c672143c15d913167275f09415b9b27

SHA1
ea163a8075ca87761bee1877e4762b400c3ae14e

SHA256
e2bcd833730903f086b98ac8ffb6220eb33081d0a849c3f9daa1ad93ff52fbd6

SHA512
bf9826edbeaad841087aac7ec7103a965b79ae402d54bf9a2028f981a8dcb8e954abec0297eed026e0ffd1bc3cee585525c904f36fc94dd877213c948d0cd137

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
107KB

MD5
1e392a7e904600ab8b148084674bdf23

SHA1
3edf4b73676943f0128a2a65bf60461223fb39b2

SHA256
30c561067b206d8fb1497fab002ee1117ba41a257cc9ba873eefa1aa00e0efee

SHA512
dd624641886bb4def50f2a245dda8576cd6bd4f6a00dab76a64df990bf6fe886442c0b9e3a8abd76de4bc562993696787ad27bd82f6def8e05a7f3d5b0b57cec

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
107KB

MD5
6093e8c4d85cece52f89f940f60c794e

SHA1
6e657a22da9231497d21587ff78a101e9f224ee3

SHA256
9ab5e9d6a6070691ca3153de170c164f0d4b0e1d413ea6c83148c1a11ffbcba5

SHA512
405d4e2c7d8cb3ea7a22af64ef57eade044b3daa0d961dccfccfc0facc299b729a1868966eefd3553115ddc40abf0fe50b47ad7efbe42779096a505d21523510

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
107KB

MD5
de69a7c0d1907e0ea559d5fef84707ec

SHA1
16114e136a92953663b94c97be2766ed5899d9a3

SHA256
af11c913f4b458d7afde347ee86480f969fa91a16dabce2e297f377bca6a8b75

SHA512
ae2a73f126949588abb16d91a7dd3eb2586998bdebf0d0a553350c0b0d3db0a9192602430d65d703344ffd2dadea43d404263da7cf1e2ac2789aef71577ee659

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
107KB

MD5
c91d888df590f13e28e2c256febf6b91

SHA1
8276455033e84dade39a28f03d872ed5cb0ec3ee

SHA256
89857fb4628c7a6863a36a3ab20d7be4a826513556379d3fa3f9861c5de40185

SHA512
7100cb9f8b200c67b34944ff0743ae9ed56280b1e8ea30349df59165e1f05cc71c3e1a80db27a364c5c9b643d00c941a4e725ba8524dabbf8e365524d4809415

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
107KB

MD5
95579c8e867dbfb3c30aaf160e1434cb

SHA1
497c012be1556095ba917ce735dcf7af2edd5cce

SHA256
066a270b4c61bfca09ac5731a0111101e4937dbb4fe91aa8619c5dec76593c54

SHA512
93d6711a03678ebe5530284303d2539feb1452a657ef22347e542dc664e90f035bda196e2edf91178577bb69b20669287201a1a177d2370b41cf1cc672287519

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
107KB

MD5
b2ecb293792e01f3441cb95b844b5f5d

SHA1
430af210eb280e651ef49042e40a18da6129a51b

SHA256
44ecc3499366fd3ece54c5144b503229cb8451e9a1ef484326ef621dbc5c1d69

SHA512
a88384a1aff9305d9dc632d7832ed7c95fc723642504c3cc438b08a3f90e89a7c6d4432d7f65dd43b4594afce2fb05e44d49fa61b9da4e4177f07df4c2d129ed

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
107KB

MD5
54735255bdccd36ed9320f032e8ca164

SHA1
3160aaaa7b80dec45af8c0fd4701b19526b23b9c

SHA256
7bb39c247e5dfe2e15eda3835a01b07c6527a981dc0f6fba22b6a92b2f07a078

SHA512
0e078dd8ed2d959c71de40b30f5ee68dd5b1dd288cb29106cbf75ece4f774fc227798c4a136d5d26067e8e2498a5d439314475608ef272f6f617265302e84f1b

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
107KB

MD5
fc382aa4075fff222343c1985b8bc5cd

SHA1
5e1d5d906523309e7f703929c441f9d8c08fb686

SHA256
76709dd56fafddec591d9f6307472b67ad4b9f8b53c940fc6de2a95846139043

SHA512
a9c2374a4cd8aeb9f0e63599a0352c2264d78e441ed55b610fa49492f23aaf6971f1344709713baa34248572abb0dfb2420f69ccb405f5bf30190b3e85974337

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
107KB

MD5
93d1f9ae5b3bef4b929ab238784f4a03

SHA1
08a5784eb8d946260b49247a216557a19ac42c0e

SHA256
589c68273e5dcdaeb02a891730088ec3f809a200ba1c1a8972ceb1a76b30de34

SHA512
7c16e4bed611c16973cfea50e60f4ec640deaa09ea3c52781276f1b51160395d83103d41732cf076abe79b0ec8bbb8094ba118b78f43ee5f9192a9be716408b8

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
107KB

MD5
87aeed226d04054899514831ef66477f

SHA1
870c5b10af3c0ad9357418269ac8775f70a28bc3

SHA256
dcdfb6a981f10cbaca1b572e08a748a393e22a74cf0fa0173fcd53edd6970431

SHA512
1dab81109c979d9e6dac79dbf204654f4ce3a48463dcbee8991c56461a1e61078d934128c909d8d361a9af197fee488f48baa9f274ccad98a5380bd725d961fa

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
107KB

MD5
09ef51092b5d8116b3645540a2c25abc

SHA1
db1d759f0e4ac8ec143387a6844cee58aeacf7fb

SHA256
2becf9ae0e2278f6ca53e3d74a5d8e89a2536bbf943769eae8405f35a9031455

SHA512
e78358afb2b4f0a1653a03eceff96eabca5cd8fada8a3b3710987c5ef501d755bec4369efd9e3a61e6994c1ccbccdf91d077873776ab2dc7d3029b74829238d8

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
107KB

MD5
5fe9457618f5c3c1f7ff03bcbe0db506

SHA1
16f55e7a95cf21e740c3c53775c6439493ec9683

SHA256
8341a12489dff8006cd0029feabfaadf670a9358bbdb383bf5cf2cd9159c75fe

SHA512
fe6d844be0fecd96f39ecf1dc16ca6a91f4f8c6fc4ffd7c0210266d66487d1a4877459c17fad9c3a189cd95700f3410c7aee242066b148a372d154f60bef76ec

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
107KB

MD5
da37a8318323bf601373322c9c1e1fc6

SHA1
4d6e9ba2302e5c56d7e37a6f207676bf52adaba5

SHA256
3c3f347cd77dff3f9b8db28b0931ff7ea2954005f4116d3af50772a01736b083

SHA512
0080e4ee7d7c3455221ecaad51eaccffe3b23a9c1cb7218d07192e44faee2e89e1a091136a166b2610925d3f674eb2ea27fcf4e0ac204b1670477870f151ec52

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
107KB

MD5
db0fed0d935c3c2bc07edda2b09a87b8

SHA1
5538c0befc54ac80f0af45370ec2e690cb83881a

SHA256
e5b3467f80dc44f4e46693aebed60a2b06fb43986b2ba7dcfa26c95c2cfed5ef

SHA512
cb260f38b97b40e1d775d056e1502796e5292ef2c33da07729f1690444996385f7bf50dfc3f06d52a8d1d1f281758df588f29498670f1fb30ca0122773fdfc5d

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
107KB

MD5
6805e59ba9be08ff44a0516e4e3c55a1

SHA1
3b498aace71089e35f356708ec2d435c40f65d94

SHA256
3ba710f5194acd7f9a37c5e167a1766d66fb507828bcb777596aed3d28d85c00

SHA512
07cb7d89b884b0b0af4ecf9ce20b3f2beef76e742530a7404b0679aa7e56857bd7d7d8ae848c22b70fe8a5c209b745675dc9868e26b0c6d61e13469bff7b89fd

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
107KB

MD5
ba887c66f83d7f724b2d29e0834b4212

SHA1
8c7ea5c69229c04fff18de2309a794494f1e0678

SHA256
8969707de84fb536632626bf477dce8ce3dffcd028c1de57e94c943393615351

SHA512
fb3703461aa7620cdf0956b9ccc4d63df982b8ef0e4a8ce225b4128b54de32cbd80c1af64194ef2bba649b817f4cb9e2a5dec4e196da152cac76ab9191746dbe

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
107KB

MD5
a13ef5fa3f512aa5bd7af735191b009c

SHA1
e929e90f42d5fc655478b8ce279b062c49b99cf9

SHA256
86e6c978db8bd852574f8c40b32fde161b070283920b68c4bb38e0ab3c017459

SHA512
ff4bf5ed4082089c278a28cf6821b83ecb457a0044afa9aa910a711fc6e4f2e9c667bc58ce1c67ec2b68cf7e8583ac629a7af3fca54b2448880b972f72613579

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
107KB

MD5
8d7fc3881b540ffbc8c39162bf3ddff6

SHA1
a2482584da7e12c8316f4f7e924ab2cd3785abfe

SHA256
bcd234c1cfca2b09825c272c62fdb3485d0f2eff47d6af41269f18a1c07cc365

SHA512
5db5400364e80d63b4d7eace42b4d690a684dc68125653a7380f34a90b105e7e979216da2ab4a9c9bc01db3d77a851a5c42e0ec5eb74aa447c97752125f6e5da

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
107KB

MD5
78267ef2c723c5cccb5ff22bf1635659

SHA1
5b12e1e2ff369abacc183a1da34859be1ae6651f

SHA256
7313793c629f18171785acbb5b5b55ca401f55385657d1b68695b3a68054792c

SHA512
328a957d1cd2796b9ebb9a2d753e2d2217ee9eea143d9088f433ba41d1854410d69e60ba363025759b7d5fa8f4c5219183520e34b98027d18afe926851b2b6b5

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
107KB

MD5
e63f434c293ab7ee134513d567b0a585

SHA1
21c37a675e07d37437f0f1c2738a40e04a9bb613

SHA256
64e358892c116455b05eac632a48852e8fda13bf8436703ab0d554902a228d25

SHA512
7865eb1bc6fcaae464bd0977b66be98a868b2b716a5c03d3dcf580a832ce6fe759be1d86bfd03bf88e1643c728c8f67f4279d08281f833069d6f20676e1814d4

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
107KB

MD5
c16661d90bbab38220cfff2343c31ce8

SHA1
81b57e0441e82728b9066ae8fb1afc6d22821b24

SHA256
33184c02f17ee79f00a44df44d990db35726906bb789135f4e8f90f4e8fb1763

SHA512
8486f77d143ca36a228d391a2be02971bb7106a69500fd2d42ec216d5f7d487ff310794cad0a4d193a5df89e79cf72a4c4e25fc59b4e1e95918abce1a2ba6e37

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
107KB

MD5
0f5f370e312f49e8a2a8415538adc98a

SHA1
83e259a63e1eb7d5f6a055a94f861ba57ae2e8f7

SHA256
c4fdbc328e7b2b78f78e389e5b4e41158996005e480c9432eedcb4101c3380d6

SHA512
89d4126ae0e37ac5cf6a24e92b0edabed9673f4d302ad371f41706712a9039247a5d4834d9e52da6e8870e5010f93c7dadf39fe05490275c0666a036eeabd5b3

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
107KB

MD5
09756f1a3f9b64fbd1c2209fe2106aae

SHA1
503c38602d7f001927223fcb93d9b2ebb6fe3b21

SHA256
f91862d782cfe0cb45d4c351057cdac3e5811c93bcf9d8edd16debfe504dc887

SHA512
b8ee6ecd4adf7db29ffd2fb9150d912f326d08fe3b5e34fe74a5634d8dac59eaf1b6f641ef3ec6066393241bf80eba443219461851d367693c6b5fa40d0e0599

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
107KB

MD5
b03bab9bc3f36848001e3d67853d0cd3

SHA1
fa60a7f176203e83fff383621150162187fe0c30

SHA256
fa4d1156420a9bbdc0de9b11d34ef1250c3fc36c2ee941d179dc77dd11db7f6b

SHA512
3c44951fdaab91f31bae601b8c9152f88d2dd293727838869ee632c8e021e501c4b53cd5bcdbf0647a495d500b0becc7599b6286caadfe125b49d69834fa0240

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
107KB

MD5
352b38c7375baee0b15a0d5c48b80bc4

SHA1
828abc0d72fda384d08004a573bfa3b6ee7cd200

SHA256
80beb8a09a8109944a9952f6292635a9f0f952e53014fc934b9c9a79d11316c4

SHA512
34da577e43359aa84f1ef19add1a8c1d435ff6007ac3e021fd9bf61a71d93e3d34e982e58e11aa1f2f4c27f7a1405e336db7218d18168fb43c72eaf8a41912d7

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
107KB

MD5
ad55cbf4bab06bdeead1479a1ef67199

SHA1
da5eace10f0b59823ba74c94a723eea707e383d6

SHA256
a30468b40eb4348bb4b1377cda1f1ad94d39958609db84b9d19a51d556fbdd2c

SHA512
93eb311e4e96a891491451d2a69f6b1da71b56709f64d0d55e90801dcedbd6417d9181ec32dfd29b5ad5167af292275258cc3fe25e5f5d709fe0a589e1094997

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
107KB

MD5
f86ceb7caba15b86f9aa968cdde86a2d

SHA1
ab08eaf0b1e43559c30dddc12bfd9bc3b0acb0f2

SHA256
d25120cbbaf14108deb74d225dd6f01d3ce8aa57127b226604de948adfb5d160

SHA512
95b582fa0e7106149a9c678f44c9d5ac9fe818c2e6587d60204580b399c5708b9c506a1082dc8c26c62ee9cac5fbf448253991e3c413c0f67f9fa73cb9d993c1

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
107KB

MD5
0398578ac02c65c395157c41dab42113

SHA1
52fe6b43055e265559ac25f1dbc084f0ca849d0f

SHA256
767655155c450d30739190cfcfa11ed2460a3f61732d91f8bac555090942f439

SHA512
f7eb35de6ded3c92a9bdc9689c6e56fe93fd9b1a15e6b4b8364f2d8d8a8c25d60449883f1dd8ae965126ea7fe920f6f7c21dc2b6a8e0a6ecad1890089ef4c496

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
107KB

MD5
c79d631b5f4f39db671b68d05395bf38

SHA1
d81a4c84b2a831cb163a418fc13c44deb7fbd4ed

SHA256
c73072924770ad64b4336a18b5d0f51e472461eb9a302ca130dcd08ee6847531

SHA512
9d5ffca2e23b991f1f34130098d9c530a1c27bab3b033dbf039a43583498d12471fe1a1ff1ec999980d17110944ec27f94fe42333b12ea13255d05f79cb8446d

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
107KB

MD5
f8e708ef184fc97b82971f850cff270e

SHA1
76ac403f06d1ee30eb6ff848c5eea5d5d74f175e

SHA256
266de281b7d4191144175fea2f49a7f8331ba3d95f9ecdcb0ed32c9b46d356ed

SHA512
cf5ce1a4043f31c76df142e75667f0ad6b8333801a90703245cab11d630de8b87ff2d16e6a7faec82f49e310e478788e5e5245239b2a29408ae6a125dfa11617

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
107KB

MD5
0a8adaf7949d251035d394334da5d4cf

SHA1
3e1be402aa2e8d749d1291ce28f87a6d1bdcc2f1

SHA256
b1050a0ce6176203ed3fe5cdf2f6456fb7bf31a463cd96b6ebce41325b70dc4f

SHA512
75f39f12206657e392382870a11ee632275521db47b57bd17f97a484235a2d26b2d5765768e57688a2f7d0ad92f4fb40cf0126ea5471fbe313226918f562c08a

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
107KB

MD5
0c8cfabd10199c384153676df5ab4b82

SHA1
1c4f1d8c8e134b09be2322d614a6f4bd4d688083

SHA256
b726d03d6c2e75795c5c342ce572acf08f3ac5ef425aa3b0bd0ee6222c40e930

SHA512
1ff23a4c4495b97ad04a577a1a12511d023715f4a2f7e7265569c63566379ddc50f4f953ccfdc67dfd5fbaf3c9380df5940f52db8d63bfa4632e50a0380faf33

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
107KB

MD5
26cd506db3c1d72ca1bb9393a5237f22

SHA1
7d5344c453708f957d44e4195fa2367f23296588

SHA256
daf9ed36c0b16b483083c5b26fd2791713cab8e8956a0d0bd5ea558ce50b01b6

SHA512
0d797c96c4fe42b29c3165db5993f5bbffabef644ff8794a92e15f6f086f73afd5662c15566d459f80e57316a7bdeb5cc8e3b91206e41dd9215b507b6d785e6b

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
107KB

MD5
9bef44348095477c36f52c5cf5640517

SHA1
7ba84925becb9899987ce98284dd1677b90c0f59

SHA256
91b665a29736838a3834adc65ea04471637756871d015b94abc8533aca6b40eb

SHA512
6331deaf90821796d6c32c736a807daa02bd69d8a7b0ed0aab4d5c82e4dfd5eca37a7c3feaf7ff43e1703b0187b177a9051ebd19f54b02a1e523d1f6edcf87c6

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
107KB

MD5
4a4e4e01860bb6eedfb39c8469873740

SHA1
9cd6f10cf9555f17c377ab1f8d8650527945a308

SHA256
b35d857868b4e782666cc455684e9f00014f64fbc8a2544e772156c299e8ddef

SHA512
e30cf8c145e76b7709614efbc5f5284a655ac2c06937d30e765d6b020aaad17471bff0c5ae39b33f8679a158f88b0345cbdee59b411ab9c603e87c5beef7bfc7

Download Submit
memory/436-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/668-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/668-25-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/704-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/704-273-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/928-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/928-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/928-7-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/936-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/936-266-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/944-440-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1004-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1004-288-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1008-423-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1008-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1016-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1016-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1048-217-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1048-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1080-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1080-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1104-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1104-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1116-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1316-366-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1316-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1344-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1344-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1388-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1388-129-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1552-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1712-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1928-368-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1928-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1932-439-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1932-375-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1996-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1996-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2108-77-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2268-259-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2300-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2312-219-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2432-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2432-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2528-433-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2560-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2620-399-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2620-335-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2636-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2820-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3000-218-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3104-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3104-282-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3140-457-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3232-162-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3232-281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3460-424-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3516-446-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3516-381-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3520-353-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3580-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3580-258-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3636-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3712-367-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3988-203-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4084-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4084-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4088-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4088-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4228-264-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4228-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4344-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4348-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4520-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4520-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-130-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4636-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4636-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4720-431-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4892-432-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4892-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4896-387-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4896-453-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4916-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4916-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4948-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4948-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4984-332-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5020-447-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-397-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads