a5dd64d94e3bc2edc0145f3d8b8afe768ac02e463e5f100590e6c642cd50ea86

Analysis

max time kernel
139s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5dd64d94e3bc2edc0145f3d8b8afe768ac02e463e5f100590e6c642cd50ea86.exe
Size

128KB
MD5

be26a33718dfad3e747e3c3d0fd12237
SHA1

5e5d62d00695357481e1c75cd702409ce7dc2009
SHA256

a5dd64d94e3bc2edc0145f3d8b8afe768ac02e463e5f100590e6c642cd50ea86
SHA512

797808ef2c3bb4934bf43bdc50643df39f8ac0800bb9a703553b31cc56913b19bfd11987af37d3aab0fc9b0e410fc8a0d6ac161d8536f0c22049988cbc8072ec
SSDEEP

3072:mQdT2ulb9jzsR41QWP4at++lc802eS5pAd:tF9oR41Nltflc852

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gqikdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmioonpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdmcidam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a5dd64d94e3bc2edc0145f3d8b8afe768ac02e463e5f100590e6c642cd50ea86.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomonm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmoliohh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdbojmq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eoocmoao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe

Executes dropped EXE 64 IoCs

pid	Process
2300	Djnaji32.exe
2240	Dphifcoi.exe
4472	Dfdbojmq.exe
4456	Dlojkddn.exe
1088	Dakbckbe.exe
2892	Ejbkehcg.exe
1580	Eoocmoao.exe
2268	Ejegjh32.exe
4656	Epopgbia.exe
3188	Ejgdpg32.exe
1428	Eodlho32.exe
2392	Ejjqeg32.exe
4808	Eqciba32.exe
3376	Efpajh32.exe
880	Eqfeha32.exe
4532	Fhajlc32.exe
856	Fcgoilpj.exe
4244	Fjqgff32.exe
1956	Fomonm32.exe
1232	Fbllkh32.exe
1636	Fmapha32.exe
2796	Ffjdqg32.exe
1700	Fihqmb32.exe
2916	Fobiilai.exe
3744	Fbqefhpm.exe
3556	Fmficqpc.exe
3752	Gcpapkgp.exe
3060	Gjjjle32.exe
3604	Gogbdl32.exe
4704	Gfqjafdq.exe
3284	Gbgkfg32.exe
3432	Gqikdn32.exe
944	Gcggpj32.exe
1200	Gjapmdid.exe
3672	Gmoliohh.exe
4596	Gbldaffp.exe
3340	Gmaioo32.exe
3028	Hclakimb.exe
3592	Hjfihc32.exe
2604	Hapaemll.exe
1212	Hbanme32.exe
1440	Hmfbjnbp.exe
1828	Hcqjfh32.exe
3836	Hfofbd32.exe
3876	Hmioonpn.exe
3488	Hadkpm32.exe
3660	Hfachc32.exe
3392	Hmklen32.exe
400	Hpihai32.exe
516	Hfcpncdk.exe
1756	Hmmhjm32.exe
1380	Ibjqcd32.exe
5024	Ijaida32.exe
4932	Ipnalhii.exe
2184	Ifhiib32.exe
4712	Imbaemhc.exe
3888	Ipqnahgf.exe
1724	Ifjfnb32.exe
4996	Imdnklfp.exe
1680	Iikopmkd.exe
3140	Ipegmg32.exe
4580	Ibccic32.exe
3296	Iinlemia.exe
2264	Jbfpobpb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File opened for modification	C:\Windows\SysWOW64\Ejjqeg32.exe	Eodlho32.exe
File created	C:\Windows\SysWOW64\Fihqmb32.exe	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ejegjh32.exe	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Bdghlnlo.dll	Eoocmoao.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjjod32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Gmaioo32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jpojcf32.exe
File created	C:\Windows\SysWOW64\Joamagmq.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Eoocmoao.exe	Ejbkehcg.exe
File created	C:\Windows\SysWOW64\Fhajlc32.exe	Eqfeha32.exe
File opened for modification	C:\Windows\SysWOW64\Fjqgff32.exe	Fcgoilpj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ejgdpg32.exe	Epopgbia.exe
File created	C:\Windows\SysWOW64\Lghekack.dll	Fobiilai.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Dfdbojmq.exe	Dphifcoi.exe
File created	C:\Windows\SysWOW64\Aiagblgj.dll	Dakbckbe.exe
File opened for modification	C:\Windows\SysWOW64\Gmoliohh.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Gjapmdid.exe	Gcggpj32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Ibjqcd32.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Dlojkddn.exe	Dfdbojmq.exe
File created	C:\Windows\SysWOW64\Lmbocjjm.dll	Gbgkfg32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Cmddeh32.dll	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Gbldaffp.exe	Gmoliohh.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Kflflhfg.dll	Iikopmkd.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Mjqjih32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5356	5776	WerFault.exe	220

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojigmkeg.dll"	Dfdbojmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdgpjm32.dll"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjjjle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocaapo32.dll"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcqelac.dll"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gbldaffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dlojkddn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipnalhii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqnkb32.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbqefhpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Ifjfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djnaji32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dlojkddn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 2300	3812	a5dd64d94e3bc2edc0145f3d8b8afe768ac02e463e5f100590e6c642cd50ea86.exe	84
PID 3812 wrote to memory of 2300	3812	a5dd64d94e3bc2edc0145f3d8b8afe768ac02e463e5f100590e6c642cd50ea86.exe	84
PID 3812 wrote to memory of 2300	3812	a5dd64d94e3bc2edc0145f3d8b8afe768ac02e463e5f100590e6c642cd50ea86.exe	84
PID 2300 wrote to memory of 2240	2300	Djnaji32.exe	85
PID 2300 wrote to memory of 2240	2300	Djnaji32.exe	85
PID 2300 wrote to memory of 2240	2300	Djnaji32.exe	85
PID 2240 wrote to memory of 4472	2240	Dphifcoi.exe	86
PID 2240 wrote to memory of 4472	2240	Dphifcoi.exe	86
PID 2240 wrote to memory of 4472	2240	Dphifcoi.exe	86
PID 4472 wrote to memory of 4456	4472	Dfdbojmq.exe	87
PID 4472 wrote to memory of 4456	4472	Dfdbojmq.exe	87
PID 4472 wrote to memory of 4456	4472	Dfdbojmq.exe	87
PID 4456 wrote to memory of 1088	4456	Dlojkddn.exe	88
PID 4456 wrote to memory of 1088	4456	Dlojkddn.exe	88
PID 4456 wrote to memory of 1088	4456	Dlojkddn.exe	88
PID 1088 wrote to memory of 2892	1088	Dakbckbe.exe	89
PID 1088 wrote to memory of 2892	1088	Dakbckbe.exe	89
PID 1088 wrote to memory of 2892	1088	Dakbckbe.exe	89
PID 2892 wrote to memory of 1580	2892	Ejbkehcg.exe	90
PID 2892 wrote to memory of 1580	2892	Ejbkehcg.exe	90
PID 2892 wrote to memory of 1580	2892	Ejbkehcg.exe	90
PID 1580 wrote to memory of 2268	1580	Eoocmoao.exe	91
PID 1580 wrote to memory of 2268	1580	Eoocmoao.exe	91
PID 1580 wrote to memory of 2268	1580	Eoocmoao.exe	91
PID 2268 wrote to memory of 4656	2268	Ejegjh32.exe	92
PID 2268 wrote to memory of 4656	2268	Ejegjh32.exe	92
PID 2268 wrote to memory of 4656	2268	Ejegjh32.exe	92
PID 4656 wrote to memory of 3188	4656	Epopgbia.exe	93
PID 4656 wrote to memory of 3188	4656	Epopgbia.exe	93
PID 4656 wrote to memory of 3188	4656	Epopgbia.exe	93
PID 3188 wrote to memory of 1428	3188	Ejgdpg32.exe	94
PID 3188 wrote to memory of 1428	3188	Ejgdpg32.exe	94
PID 3188 wrote to memory of 1428	3188	Ejgdpg32.exe	94
PID 1428 wrote to memory of 2392	1428	Eodlho32.exe	95
PID 1428 wrote to memory of 2392	1428	Eodlho32.exe	95
PID 1428 wrote to memory of 2392	1428	Eodlho32.exe	95
PID 2392 wrote to memory of 4808	2392	Ejjqeg32.exe	96
PID 2392 wrote to memory of 4808	2392	Ejjqeg32.exe	96
PID 2392 wrote to memory of 4808	2392	Ejjqeg32.exe	96
PID 4808 wrote to memory of 3376	4808	Eqciba32.exe	97
PID 4808 wrote to memory of 3376	4808	Eqciba32.exe	97
PID 4808 wrote to memory of 3376	4808	Eqciba32.exe	97
PID 3376 wrote to memory of 880	3376	Efpajh32.exe	98
PID 3376 wrote to memory of 880	3376	Efpajh32.exe	98
PID 3376 wrote to memory of 880	3376	Efpajh32.exe	98
PID 880 wrote to memory of 4532	880	Eqfeha32.exe	99
PID 880 wrote to memory of 4532	880	Eqfeha32.exe	99
PID 880 wrote to memory of 4532	880	Eqfeha32.exe	99
PID 4532 wrote to memory of 856	4532	Fhajlc32.exe	100
PID 4532 wrote to memory of 856	4532	Fhajlc32.exe	100
PID 4532 wrote to memory of 856	4532	Fhajlc32.exe	100
PID 856 wrote to memory of 4244	856	Fcgoilpj.exe	101
PID 856 wrote to memory of 4244	856	Fcgoilpj.exe	101
PID 856 wrote to memory of 4244	856	Fcgoilpj.exe	101
PID 4244 wrote to memory of 1956	4244	Fjqgff32.exe	102
PID 4244 wrote to memory of 1956	4244	Fjqgff32.exe	102
PID 4244 wrote to memory of 1956	4244	Fjqgff32.exe	102
PID 1956 wrote to memory of 1232	1956	Fomonm32.exe	104
PID 1956 wrote to memory of 1232	1956	Fomonm32.exe	104
PID 1956 wrote to memory of 1232	1956	Fomonm32.exe	104
PID 1232 wrote to memory of 1636	1232	Fbllkh32.exe	105
PID 1232 wrote to memory of 1636	1232	Fbllkh32.exe	105
PID 1232 wrote to memory of 1636	1232	Fbllkh32.exe	105
PID 1636 wrote to memory of 2796	1636	Fmapha32.exe	106

C:\Users\Admin\AppData\Local\Temp\a5dd64d94e3bc2edc0145f3d8b8afe768ac02e463e5f100590e6c642cd50ea86.exe
"C:\Users\Admin\AppData\Local\Temp\a5dd64d94e3bc2edc0145f3d8b8afe768ac02e463e5f100590e6c642cd50ea86.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\SysWOW64\Djnaji32.exe
  C:\Windows\system32\Djnaji32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\Dphifcoi.exe
    C:\Windows\system32\Dphifcoi.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\Dfdbojmq.exe
      C:\Windows\system32\Dfdbojmq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
      - C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        27⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3752
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        30⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3432
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3672
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        38⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        40⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        43⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        50⤵
        Executes dropped EXE
        
        PID:400
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:516
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        53⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        54⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        56⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        57⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        63⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3296
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        65⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4868
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        68⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4444
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3608
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        72⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4100
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        74⤵
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        75⤵
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        76⤵
        Drops file in System32 directory
        
        PID:4188
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4352
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        79⤵
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        80⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        83⤵
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        84⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        87⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5208
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5268
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        91⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5404
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        94⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        95⤵
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5692
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        98⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5832
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5876
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5980
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        105⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        107⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        108⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        111⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        112⤵
        Modifies registry class
        
        PID:5564
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        113⤵
        Modifies registry class
        
        PID:5628
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        115⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5860
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        118⤵
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        119⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        120⤵
        Drops file in System32 directory
        
        PID:5160
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        121⤵
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        122⤵
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        123⤵
        Drops file in System32 directory
        
        PID:5568
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        124⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        126⤵
        Drops file in System32 directory
        
        PID:5928
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        127⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6080
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5144
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5632
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        131⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 420
        132⤵
        Program crash
        
        PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5776 -ip 5776
1⤵
PID:6088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
128KB

MD5
af0be0eb345728e42f235bdd6e31ffd7

SHA1
e37e2204b529a36254e7b56da43b78a75c46e598

SHA256
99da372e2af69d0030e64d258f1d51fbe6b231f632df598b44be956a065fb5d6

SHA512
5456467196d3d0d5a12dcbf37301b08dc66a1e4360afdbe5a8702ad975fc308086174a9c0df61f82e05df0253a0e66a4094b54082472f89c8caffe2e490cf3a6

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
128KB

MD5
b85fc7f6e82ec5737eb1b851d5c562be

SHA1
4a20ae8aed098bb23274e0361bf7ccf8d40a9853

SHA256
31950baf267b9271b0d5763bddaefea00fc8e18a2c35315b6f9a2bc44e257f35

SHA512
980bdd9ba044c458f34964068632c79bf3f572907cfe8aa5a98f18f4a0688af3e733db8dd5f10d20342c4010cd88ae1f9259e9a115beb0ca5e1e3c49518b24ed

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
128KB

MD5
999556c04e43deb18726629dcf4258b0

SHA1
d49db59dab83c23e0520dceb252ba0de5be8e4a7

SHA256
4da05b32e5fbc0e1cf190fb1ced858fd9a569276ccbd588ea3f8bb03aec507ee

SHA512
cf3d0f9fcfce5377a0d4349c82cc323f93608c004e0959eb30555d4a171120763871e8b6d164a8134bb9aabca53c6656dc0a280d2230ccca482a414991712dc3

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
128KB

MD5
f03899a5c473cda31f71c117748553a6

SHA1
53ccccc113e798a2eaa43caee3736f8d7175518e

SHA256
1645c6bca181127c1db46cfcd67bc6708442182eb5209e8dbb694529c48a3b5b

SHA512
3bc19e42b433a034fb81b05d59f3128f74769287587eb98504739883152aa08fdb0a14dbc670803c13a8ee7810b2806ab68a76debdd5c33a34eb221841410323

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
128KB

MD5
b21192eaa7887e52be55fac75d6f497d

SHA1
6c2f8e0c8cf4785740e568d3c5249d0aa419d783

SHA256
be09ccb0f15df0b72f429a910e333050e8790d83ab631b13e3e8a6abf3908da2

SHA512
3df8c07d1d00d0a8dc4989e212603758cedf444ed5ee4b943b3be8c968bb04b08b1e9f7fe362069c3fdccd59fee7bc5de758e5c081274e8c89eafcd2be8906ff

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
128KB

MD5
9ecb39adf1080129e1bbbc7bf846eb74

SHA1
2ff03dbf4f9eb0ba0635c60d22f50042d2630867

SHA256
6ffd3f70cb0dbab5978226d608bfe863005e58d142167e364aa8982ef00759e0

SHA512
9853d8941e7707a2cd28a22c0dd099e7d07ccca6b438775e379f8048ba9b1a4610b4f924d3f20cab5df7e017e0a56c2f0d11558a3a21f0e9b3ab00439b9e01ff

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
128KB

MD5
f3b6eeb2441296ac012f3891a5280131

SHA1
72da29a0885c35d573df02350d1a0dba88d87097

SHA256
7cedf8381131741ddff8d853630e43fc16c8a0da14d9e342b34145d04fd19744

SHA512
fe1a225ba0064b692daf102b754a47755921cba749ee9e4f9f46266175da68bf274bea47c0f26a3d7559adf75fa13dc2680acda2861704d3d3f443a1d75f5909

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
128KB

MD5
87e46826c5729d73dfffbcfaf7850049

SHA1
d001ba2c9f0cb66d91f01c34058d305282116a00

SHA256
0f6e0db43a2c2787352d49b5f7104c7c7edfb6da08ba9b9f20050570e958f7b1

SHA512
8d54d4afc9cec3517e18624e24af051571772fcbb3aa1812d84a2ac16e71d77dedc3cfb280890f477b9e97217e0c8b5439a7e7e83378ff54975a747b60fc6390

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
128KB

MD5
0a42ab50a9b99d5ef4877d62614a239b

SHA1
82cae6d44b395f30beda77c1848174ebaecc9865

SHA256
088a6e00364fc3827f8de0f6bb2d0e2baef4454239c82b3304c51ba62eb2c7d5

SHA512
dda294c1d7ca39c0a93cbc750e98909a936282deb40bf02672e5c0d959f447b193417c77e502cde090a6b191d2947ad4e40fd4faafd3934d1fa4c648c1f3ad84

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
128KB

MD5
3262018461cbaee6e7ec560c5626fe63

SHA1
7593ff50a653c35b56e7e2fada24657d2e21fab3

SHA256
76f1abc86762be01542f67168c47cf044905af571610a6083dae8a4e43087473

SHA512
0f2003e111492dcc5e0c1b40243a048582c9557e7559e0a05628a10b4bdcba60feef553e08d43b30c44e18185f92b957063aff78aa88bab52ffd47897ffb791a

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
128KB

MD5
d7f8482cbec4ab193a17d182a1f67901

SHA1
d137ed3f208953b2037ed8c872b6049a450a2f79

SHA256
506f6a2f42cacf80f1720e2c0e1e3d9981d689467d6896577d0d066b3238587c

SHA512
980a45dcdf4fba7e02a2f23c8836383452fb6e8eafdadfb58853dd5c1ac3f99734f9cde6749a5c43e1e0cefe1d318cdbe4f883721730ab8d464a5d92184b3d4a

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
128KB

MD5
a3770c63ed98d7c1bb1040936d63089c

SHA1
344250fee68c605d0285365e75f669789907e160

SHA256
9076bd3f775ef3fcf1fa6e72ced542c7fdd965994106fda1fbbafcca1f72b059

SHA512
0c667b9cc0b73d86fa3e60df76178fa398c7c5f8b25d21a616eff2735ef0f2e60cf2ff56e039f2537e78ded2abf156bc7908bc880d13de5e7b0dca26ccc147a8

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
128KB

MD5
12868139e2098613aa4b5dea89d99c81

SHA1
6eb86171c48bb5c62c69e475f3f5073fd6c75eb0

SHA256
f881e0d20aa0462829b04a60adbcce6db29287eb707550ae0a18ade8bfa1ce5a

SHA512
dbc06999c2bd37e655a856f0af0a489942064265d02360e9fe53818c7d8684a30a5ed7b5e2d4c99cc01ddd5f2e7c16bacda1da52fb04cf624927016d0823e863

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
128KB

MD5
5b32da4cbbe263b3681612248cbbdaf7

SHA1
a94346846c411fdc2481802a0b535d3a388fbeff

SHA256
972ac095213d5fb0e41c971e52cc75ce502872bcea7a1097bb2e9a2bd5eb388d

SHA512
7b04f13506a847715fab6bc46fddbb867b010b858360de1e803aaa4ef92f342b0cc673fecc44dfbf9f0f882cf191b8bcfac901768e75c4e132d1153c350b5340

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
128KB

MD5
27d2f9e5aa8d5966d57a1bba27a032a1

SHA1
bce6974df7c492478509ddcca012f44c73844aac

SHA256
38ca7da39a90e10b19e81f2f0ecc05650c2b8282f9c7fe23d21fe7e493b9d25e

SHA512
74fc769c65864a3a50d5ea42f07c16935b127ca46bb6e9cf77ab8cff9d452198cbcb9fa92d01ff0e5f28f136b7751de4d4a576fca1393cb2462bb87bcc6fcd2b

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
128KB

MD5
dc681a6a2e6b5f4ad776755ff62f12a5

SHA1
afcabc2a9e9900f5f1e4aafff8bb394a40c47fed

SHA256
8cc5d4f4f615c5a137f1d92088a94beb1ffdb68a556c717db3433665474fa344

SHA512
7e9e4f1c8658bda57974989c554362e9a6408a1a7be4274c8adc45ff5699686e0b97eedc1cb93d9269aaeaebc66b413de4d4b348e416ec7a3e5f46993d4822b0

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
128KB

MD5
faa5b1fb0082fa19fe5a33df200ad534

SHA1
79e3244d670d01ae5b5d1acc553643c6f3542a05

SHA256
cac6f829f7c1e19ec0f95e0503c89de1b42b9d167da0f29a96ecc0fda08c2081

SHA512
bfec35f36343b7e115702e40a963e195b9b1dd978e1bf0dc1143ae60cf592c74f61333a40dfc3000745d4563f54c464f30922dce2246733357704d2787301336

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
128KB

MD5
e809c53e5f9e8fb114d9c0edb15b618b

SHA1
887a3a88c3df46cc53079e6610ece339e56cd637

SHA256
3b293632ccb10d713ab88c6433622491d5ac5813533fc59fe7ddd77d615d4873

SHA512
106b3d3b3f60dca435f06bd0ddf76b664b220dad1b85bdff867dfd44dd42e01cb60ff28037a3f5e9b96fd3bb207a2bf912d0f818207a6e56b89c4f2f1f7332fa

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
128KB

MD5
da61104a0382ce229ad03fb2d3eaac2a

SHA1
70b7c3bda1c0faa6b54b44f8469c52025c160246

SHA256
173dbfd8d9aba02a4c73cd45bad307cfe002b962d519cdf627818b1e59468fd0

SHA512
3412a4cc3c200e19d1460116570e89a1e4626986ef362b1ecc21803161290810e3f6d504a5465ad737ddcd0b705f6f80f04c7c53d0361497e0a9fb5cfb181546

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
128KB

MD5
5fe6ed25dbe0918d2689b225d8dd3d06

SHA1
f718fbf0cde1109dad288b6d10350469bb6745e8

SHA256
d715d42ab74e56f762df30d63ff4969ec6fc6a94c76f1c49edd22e2602a35291

SHA512
9f598b9ca10e8dd5d7f40faa10b1f88fdbce1465a632277a470832611418021bc5f71e0ca5c87fe8de847128a6300424e3dcd17b62a1a1171f73fc750ba9c6a6

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
128KB

MD5
9ad16a54eed66ffd1189c8f866b68859

SHA1
b3ae7fa4ae372ca97a63bcd4fc7a70c6f88fa4c9

SHA256
43be868b6692bac8267cdb863ddb475984247ae3eb830f1c4f6175f5daacbe5f

SHA512
a2eb0d6230473264a82376939fcc425ee71a10b0bfeec9e5e3ce37e82c6bf22e9a45249aadc20d88e5edf42b8e0a647f4beb1562a2ac063f35a0ea89fe04aede

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
128KB

MD5
3a450b0196e5afd8936e27f51fa676ff

SHA1
a02efab8c9dfbb97c4159f85a94dbcab2b747b9d

SHA256
b13eb441c90b3900a84fd5722fe66f5d0634b89db89e431504691a8ebf81c80d

SHA512
fb364896a38fb9a645769da2795a5045aeb1a3cd61e9ea883a6166be19030376b4407f0680669dc7c6a9f3ee3eb5f79a93f90c5dee403bc6e63152b2b02965ef

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
128KB

MD5
a6d36299b55487d42938d2bc01f398e6

SHA1
800a144c5f430433b44da1d7eb61ea1f1fdc5666

SHA256
63ba9ae21efa66e912668df704c332a114307c41e3ad567e9fe0636767650e7a

SHA512
c1ee4ea86a279b95b3ddedd0050b0862a2680cb4bfa48d2b939cfe4d54c9a3265cdb0858a26bb912f3db0d86f64c95d25164311072374a8eb751dfc9e54817cc

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
128KB

MD5
7d74e34b00943ccf6e411a539b80392d

SHA1
9f2aac382fe4cff759f157c5d25290de4b6b8039

SHA256
ef30fe86f2f085aefe46231144474a48e19ec2e9d1cce111926609225d9e0ad0

SHA512
82d6defb8a5b307b80e45bd564cdcddd62e055f959d1e6be83f3b235d6232610474ad97adca810e7a8e7824f4dfcea72df7886d558868cad3c584597ec10ef1e

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
128KB

MD5
19c7af3c1ca7ff46ca2748f105fa9541

SHA1
b5b80ce07936294b097429a5df3c5532f9ba6628

SHA256
39c22bf311f5edc82eeb1358270ac1d7fefc196e657b11b0604e2fad0678aa9a

SHA512
9f98acedf2ed0125113efec4aeb50e04ed9a1793dff64bc207f8facc9392cd6d045233d96b31b091a616c01e12ac7d13d78b001f1f0b96950be4fb4c96548d3f

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
128KB

MD5
9c5ead899c8a2e870ed578da2fd3207a

SHA1
91356d0c8753d701c768f496724ebab4b37d0b44

SHA256
1c7ee1378df5d26c59df1148b86e4fe111b4b41de823f8f505ead3890660aa6c

SHA512
bed2d777bf6e5ac592d40f0206d7c738417f5cd31267c2f4245810d7793f9cb774830b3fa1b39bcd01806dcbd13cc58eb5b3397a60bf6f8ed8bb2acb49e9d4ef

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
128KB

MD5
6434dd217a93ae508dcb205ecfd2a3f5

SHA1
f67b5cb8f938fb141907b6569d9e1f45f6f649ea

SHA256
9a3730a71745ee4d8187cde73d1788059bc50321aee5b7bc0683becdd82747c5

SHA512
758593aec3c521e287ea424c314dec3ffeaa9c6b2099f0a1a1fd2d76e3f31f4e24e62e939c1f20c00627d9aaac1bb9acc2ee783a5d56b140d1464e2853681337

Download Submit
C:\Windows\SysWOW64\Gbldaffp.exe

Filesize
128KB

MD5
ed24600786b82491e2ef7ab35913cdca

SHA1
370cc515d341f52327438e4dbe2e5d284e04bf86

SHA256
ed08e0718859d7a4a4840cb44b6b53641d451fdeef0b398addb31101d5e152be

SHA512
52726bb725601e80deb0844f418a8d2c062e09a64c471f31eec3e817a9eb0332117a4c5d2766b74fd4df1028781c953b887b3520c6b548cb1c44a915fc26a375

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
128KB

MD5
07c34edab386f08a39c1b6ac18f92ef7

SHA1
da9a2b90d073f62c2b05e326893c887fc4932daf

SHA256
79f307f06103635ea0e802e01c3f984849bf3397066170947548b5f1a4e0eff7

SHA512
1fae8e3e4fdb7d07108043dd907b5710135627977845ee87d83e743a9e4879a2fdbb0394bfbca8f10b691de15ad8b2d9a9d1e3529e6ac5b20f148f5e27f77753

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
128KB

MD5
97c0b0af4ce1082a15a58797cd15cfa4

SHA1
31d117e64eec0e8617cf26a5a222d99301f4a96f

SHA256
5996c0de91972baf5cd23e0f23d6a7dd789e6ac213a78df73dec2ce1f6a801b7

SHA512
ae22fce15705fd701388a6c53efbce23342f30de8d0803a7308624bf60eb72c807d130d6b1dfb31ad4f152abd1cef5ec61789c82690489b539a98b7ebe3538d1

Download Submit
C:\Windows\SysWOW64\Ggmlbfpm.dll

Filesize
7KB

MD5
2ed63dd483a6182838143ee925a606c9

SHA1
595411d2ca8e5d066d72d9b95913f46f6a40ccf3

SHA256
c74beab6412430a064f96c1b4171d463b9002e870217e0530d612928e89a8210

SHA512
b691657bb665642470a1d7ff65a9814af3c6bcfd8d10542d8f55a875042f207e949e1ae951c6e3c96cd9e233ac2744f0f7e226f8eebfb42f8fc88e64c70e0e40

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
128KB

MD5
a2d5e5cf5cbde6d16ad4a1eeb6a6ed66

SHA1
b9ee2c168b10e84f8cf5cb9f238bad5bd206046e

SHA256
0b3cfa2b7f3dade96c1d10b65fb369a325b8db74bd9e7fb843f28ae6d1d6a89e

SHA512
69b4aa7805b1cacb3d108476737328db98cad9e94aaf17c9e4468be82fcab5bd9ad56f1b52b366f86f9388bb05606e938cfa251ab7fefce653e6b3bbd341fb0d

Download Submit
C:\Windows\SysWOW64\Gmoliohh.exe

Filesize
128KB

MD5
ab6476b3e88cc5c6a4e06099e052663e

SHA1
4b0d39b2cd983c333686570bfdbc6a7f686f28d4

SHA256
0ed9eb1e5832b11deb9e0785123a462be78a65a4cedb36c567ba1e6de3d525ea

SHA512
759d4b99fb33f809cf513c07ff975d86548ce2b83cd84c92a15de483c373773ac7bdb0755d7a5d45eccec7149700cb38ba902c5713324a8b6e6d4e077006ffee

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
128KB

MD5
d7d3475b09035bd2040acadd14c3da53

SHA1
aa735411f4a3c8f3a1a798e02522fd7bcc28507f

SHA256
77ec0348e0b084c0dafe89cb11b416ead4b9d0756d5968a9482821833ebe673a

SHA512
8b273dbb2e22fcb0f210d3540f78bc7f9201503df82460d54e01b0cffc303ee57b7a0d753fe8293e33c33e5428656493cd84195e9208c48f37199a40520d6581

Download Submit
C:\Windows\SysWOW64\Gqikdn32.exe

Filesize
128KB

MD5
083c4e0fa62b86032b0ac82555295cf1

SHA1
e4120fff8f09dff5b12f58307ce82cea0bf80412

SHA256
7c35992ef406da401d7dc97b6bdc912b3133f0c849a0f3527a00c6f1daaf2b3b

SHA512
cfce33f52c079c0d2245795a8aa9f2537275d64acff16cc180a7d80556305b957abfcf68ec7a2ea84bf04c316f95851e7a5402578cb166367841941278cf5d75

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
128KB

MD5
0bb3554bd708df73f646acc43ea92563

SHA1
af514b456ee4c5670b9403e95f1d1fbff3a6003a

SHA256
bf4ad0cb89ed3272fbfe2d3520458f86f1eed33979b06d46d12ec1e88e83130d

SHA512
2ed002e054f999eb24f3c8f3108f94efa0ca2d76fbacad67acdd731c2a5585d3e2a5fdbf96c948abcb44f4eb2f8119a905a80ab73cadab5b50c3715f03155061

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
128KB

MD5
768a8bb0bd1d5123cf70e91ba445f05e

SHA1
82c71f2c5f96ada9fdee275fb613f5bbfffb2442

SHA256
b0588ee6c8754c0060dcf9249eeb2a920da3af9834e596a8a9cee9c4a7fc898b

SHA512
9a0e946f241129e88b96397d5d62fec19791af0f45ac55c26cd98a7f2f1727e23b4477fbf5656832a84606162400d207d78487e7f28c686a77d2102ca038abde

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
128KB

MD5
ea6ef815d029e0139ba7916cc25ccec7

SHA1
935e1cfd5099e5e152b6043825ddebdfe10ad749

SHA256
bc1c3948a10d5b822748941a7f251719cdc94b36d24104c378e5a3f719d683dc

SHA512
1c054888d482a9159534bbf5a1703583b9fafb52d73d9d0221adccce2d1cd92c5a38dc3ab54d4a438ea161f0b9065cd5f1dafb9f1671aec96d67a683fc76ed09

Download Submit
C:\Windows\SysWOW64\Kpccnefa.exe

Filesize
128KB

MD5
3ecb3eaf307fb91d902df2999abef6e6

SHA1
da247b2092aa9488c2a4f402233e940f7a048626

SHA256
99188e1e7f53a145bf8b85f4139c45c3c1ea430f629ebde0152c87071d2f96c8

SHA512
c50d57117aebb30b7557a59a2ef0b15a802e33a1eeeee1a59b18d80ff5e20fcb3ffba792ec189e11a3ba508d6d1eee08a9a8177d83ce8b58c9ae5198487b5803

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
128KB

MD5
4a83e57075504d8c193920d847a8a25d

SHA1
9c6d43e725a15e99bb071287d5196161352e8cb7

SHA256
ccf123bd1ff86938757021c9f1a866083961568baff4e8041eed2ee657ea5497

SHA512
e4a068fc2f9f98f1b72de245a9a0b0d9cba1c1fa2d57da57d1516273a9d893f07aa3a69af87b6ead66b409e6b3395a08a878bf9d5970df18031d7fe36f8486fa

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
128KB

MD5
f3d9970fd382a403b870f2ca2c7add47

SHA1
2096158b89286ad1715dfe516d9c9d6b17efb3e2

SHA256
3cb16724c6a7f17f9a24c7c90906b2e9f9d3bf57ed09343b92fed3c79e65e66f

SHA512
981092d74160ca24e467b6ec5cb4f9065abc0f60d4c9254d9d3aaec055bef83c71a336b091a61082744a3a781ab14bc2f1daa44b55ab21d69304253c5c3a49b1

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
128KB

MD5
fef482591f59a8958f954a740343e4d6

SHA1
0a824fbf1f70bdec9de8343eb59278285017f9ba

SHA256
cb4419c3adfbef112aff61bd2b10e805665176d1a980d3ef6114719b7e0e3928

SHA512
105bd7b7a3435453fba599feea8de9bbef673a3768341d49b76d0887147d2e8505637c64321eb4e39970f395b0e373a2d6d9bbbc902c4a31cb3eb576f4f5e8cb

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
128KB

MD5
8e3c6ca02aaa07345e2aece107c728e1

SHA1
b2be1008db087e53a0c205738a522d844f9fc74e

SHA256
bb7705d59b06f923e11b40f7fb1cf04046609fdbbc164af9abdff4c6e413eced

SHA512
a291034fc9fe8719c50c56d4c259de2c754363e45cb7878e9c730140a23c318ff20ed36e1b43bbdae236c6098244919d85bd01c6d2ab18de2a56b7637fda91fe

Download Submit
memory/400-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/436-563-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/516-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/856-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/880-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/944-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1048-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1088-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1200-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1232-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1380-380-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1428-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1440-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1476-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1580-592-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1580-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1636-172-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1680-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1724-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1756-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1828-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1848-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1956-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2240-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2244-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2264-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2268-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2268-599-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2292-549-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2300-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2300-555-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2392-100-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2604-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2672-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2796-180-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2892-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2892-585-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2916-196-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3028-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3132-570-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3140-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3148-524-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3188-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3284-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3296-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3340-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3376-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3392-356-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3432-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3488-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3556-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3592-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3604-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3608-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3660-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3664-537-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3672-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3744-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3752-220-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3812-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3812-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3836-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3876-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3888-409-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3940-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4100-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4188-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4244-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4352-529-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4444-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4456-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4456-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4472-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4472-566-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4532-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4552-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4568-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4596-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4656-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4704-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4712-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4808-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4852-556-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4868-458-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4932-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4996-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5024-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5148-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5208-597-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads