a6f8a65d065a3cd88ea6097a59eac421e43d821f226f08d161be31869f434d29

Analysis

max time kernel
138s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6f8a65d065a3cd88ea6097a59eac421e43d821f226f08d161be31869f434d29.exe
Size

78KB
MD5

173107e1abffe5bf79560b85114520be
SHA1

0a99c754da32258b4d459a0fbe8ac2eabebb15b8
SHA256

a6f8a65d065a3cd88ea6097a59eac421e43d821f226f08d161be31869f434d29
SHA512

275388f3523ef89fe9ae5a2eb1b1e87abc6bbfd3c1bb3f877ab96e03261baa45d6aabb0b9ead267916cd1860c54d04e5923f7a42cbf224a0de728cebcfc7a833
SSDEEP

1536:rJPXUB/i5NPw7YzuRrsbSKPnZ1yAue9rMim6yf5oAnqDM+4yyF:dPEBi/o8zuxQVPnZQZCrMimCuq4cyF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eodlho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfebonm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifmnpnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehekqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebploj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebploj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djnaji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epopgbia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epopgbia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dllmfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe

Executes dropped EXE 64 IoCs

pid	Process
584	Djnaji32.exe
4676	Dllmfd32.exe
668	Dcfebonm.exe
1900	Dfdbojmq.exe
1424	Dlojkddn.exe
2052	Dpjflb32.exe
3988	Efgodj32.exe
3572	Ehekqe32.exe
2000	Eckonn32.exe
2060	Ehhgfdho.exe
4404	Epopgbia.exe
4712	Ebploj32.exe
4584	Ejgdpg32.exe
5060	Eodlho32.exe
4656	Ebbidj32.exe
4628	Ehlaaddj.exe
216	Eqciba32.exe
1312	Ebeejijj.exe
780	Emjjgbjp.exe
784	Eoifcnid.exe
3456	Fbgbpihg.exe
1380	Fjnjqfij.exe
3488	Fmmfmbhn.exe
3212	Fcgoilpj.exe
4792	Fjqgff32.exe
1124	Fmocba32.exe
3368	Fcikolnh.exe
2740	Ffggkgmk.exe
4004	Fmapha32.exe
2340	Fopldmcl.exe
2736	Fbnhphbp.exe
964	Fmclmabe.exe
380	Fqohnp32.exe
712	Fcnejk32.exe
4596	Fflaff32.exe
2484	Fijmbb32.exe
4552	Fodeolof.exe
3956	Gcpapkgp.exe
916	Gfnnlffc.exe
1304	Gimjhafg.exe
2204	Gogbdl32.exe
4652	Gfqjafdq.exe
4036	Giofnacd.exe
1348	Goiojk32.exe
244	Giacca32.exe
4976	Gqikdn32.exe
3940	Gbjhlfhb.exe
4340	Gjapmdid.exe
740	Gmoliohh.exe
2684	Gcidfi32.exe
4448	Gjclbc32.exe
2676	Gifmnpnl.exe
3116	Gppekj32.exe
4396	Hclakimb.exe
4188	Hfjmgdlf.exe
2140	Hihicplj.exe
4256	Hapaemll.exe
4368	Hcnnaikp.exe
4992	Hikfip32.exe
4140	Habnjm32.exe
4476	Hcqjfh32.exe
1340	Hfofbd32.exe
1720	Hadkpm32.exe
2056	Hccglh32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jjbako32.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Dendnoah.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Kmihaj32.dll	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Fmclmabe.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Cichoi32.dll	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Dpgbbq32.dll	Dpjflb32.exe
File created	C:\Windows\SysWOW64\Fmocba32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Kjeebd32.dll	Fodeolof.exe
File opened for modification	C:\Windows\SysWOW64\Gmoliohh.exe	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Gifmnpnl.exe	Gjclbc32.exe
File created	C:\Windows\SysWOW64\Hapaemll.exe	Hihicplj.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Bpqnnk32.dll	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Fjqgff32.exe	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Icjmmg32.exe
File opened for modification	C:\Windows\SysWOW64\Imihfl32.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Ehlaaddj.exe	Ebbidj32.exe
File created	C:\Windows\SysWOW64\Ecppdbpl.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Dfdbojmq.exe	Dcfebonm.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Iakaql32.exe
File opened for modification	C:\Windows\SysWOW64\Ebploj32.exe	Epopgbia.exe
File opened for modification	C:\Windows\SysWOW64\Eqciba32.exe	Ehlaaddj.exe
File created	C:\Windows\SysWOW64\Gfqjafdq.exe	Gogbdl32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Epopgbia.exe	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Feambf32.dll	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Dakcla32.dll	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Bppheeep.dll	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Idacmfkj.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Gagaaq32.dll	Eckonn32.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Fmapha32.exe
File opened for modification	C:\Windows\SysWOW64\Hfofbd32.exe	Hcqjfh32.exe
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Jdmcidam.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Ojigmkeg.dll	Dfdbojmq.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Icljbg32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Hlcqelac.dll	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Lpdcae32.dll	Fmapha32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Agbpag32.dll	Fmocba32.exe
File created	C:\Windows\SysWOW64\Geekfi32.dll	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Kmgdgjek.exe	Kkihknfg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6660	6496	WerFault.exe	261

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbkiioa.dll"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebploj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmige32.dll"	a6f8a65d065a3cd88ea6097a59eac421e43d821f226f08d161be31869f434d29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feambf32.dll"	Jbkjjblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcioj32.dll"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhjb32.dll"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a6f8a65d065a3cd88ea6097a59eac421e43d821f226f08d161be31869f434d29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmocba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peeafpaf.dll"	Gogbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipmack32.dll"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgbpihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogbdl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 584	3216	a6f8a65d065a3cd88ea6097a59eac421e43d821f226f08d161be31869f434d29.exe	85
PID 3216 wrote to memory of 584	3216	a6f8a65d065a3cd88ea6097a59eac421e43d821f226f08d161be31869f434d29.exe	85
PID 3216 wrote to memory of 584	3216	a6f8a65d065a3cd88ea6097a59eac421e43d821f226f08d161be31869f434d29.exe	85
PID 584 wrote to memory of 4676	584	Djnaji32.exe	86
PID 584 wrote to memory of 4676	584	Djnaji32.exe	86
PID 584 wrote to memory of 4676	584	Djnaji32.exe	86
PID 4676 wrote to memory of 668	4676	Dllmfd32.exe	87
PID 4676 wrote to memory of 668	4676	Dllmfd32.exe	87
PID 4676 wrote to memory of 668	4676	Dllmfd32.exe	87
PID 668 wrote to memory of 1900	668	Dcfebonm.exe	88
PID 668 wrote to memory of 1900	668	Dcfebonm.exe	88
PID 668 wrote to memory of 1900	668	Dcfebonm.exe	88
PID 1900 wrote to memory of 1424	1900	Dfdbojmq.exe	89
PID 1900 wrote to memory of 1424	1900	Dfdbojmq.exe	89
PID 1900 wrote to memory of 1424	1900	Dfdbojmq.exe	89
PID 1424 wrote to memory of 2052	1424	Dlojkddn.exe	90
PID 1424 wrote to memory of 2052	1424	Dlojkddn.exe	90
PID 1424 wrote to memory of 2052	1424	Dlojkddn.exe	90
PID 2052 wrote to memory of 3988	2052	Dpjflb32.exe	91
PID 2052 wrote to memory of 3988	2052	Dpjflb32.exe	91
PID 2052 wrote to memory of 3988	2052	Dpjflb32.exe	91
PID 3988 wrote to memory of 3572	3988	Efgodj32.exe	92
PID 3988 wrote to memory of 3572	3988	Efgodj32.exe	92
PID 3988 wrote to memory of 3572	3988	Efgodj32.exe	92
PID 3572 wrote to memory of 2000	3572	Ehekqe32.exe	93
PID 3572 wrote to memory of 2000	3572	Ehekqe32.exe	93
PID 3572 wrote to memory of 2000	3572	Ehekqe32.exe	93
PID 2000 wrote to memory of 2060	2000	Eckonn32.exe	96
PID 2000 wrote to memory of 2060	2000	Eckonn32.exe	96
PID 2000 wrote to memory of 2060	2000	Eckonn32.exe	96
PID 2060 wrote to memory of 4404	2060	Ehhgfdho.exe	97
PID 2060 wrote to memory of 4404	2060	Ehhgfdho.exe	97
PID 2060 wrote to memory of 4404	2060	Ehhgfdho.exe	97
PID 4404 wrote to memory of 4712	4404	Epopgbia.exe	98
PID 4404 wrote to memory of 4712	4404	Epopgbia.exe	98
PID 4404 wrote to memory of 4712	4404	Epopgbia.exe	98
PID 4712 wrote to memory of 4584	4712	Ebploj32.exe	99
PID 4712 wrote to memory of 4584	4712	Ebploj32.exe	99
PID 4712 wrote to memory of 4584	4712	Ebploj32.exe	99
PID 4584 wrote to memory of 5060	4584	Ejgdpg32.exe	100
PID 4584 wrote to memory of 5060	4584	Ejgdpg32.exe	100
PID 4584 wrote to memory of 5060	4584	Ejgdpg32.exe	100
PID 5060 wrote to memory of 4656	5060	Eodlho32.exe	101
PID 5060 wrote to memory of 4656	5060	Eodlho32.exe	101
PID 5060 wrote to memory of 4656	5060	Eodlho32.exe	101
PID 4656 wrote to memory of 4628	4656	Ebbidj32.exe	102
PID 4656 wrote to memory of 4628	4656	Ebbidj32.exe	102
PID 4656 wrote to memory of 4628	4656	Ebbidj32.exe	102
PID 4628 wrote to memory of 216	4628	Ehlaaddj.exe	103
PID 4628 wrote to memory of 216	4628	Ehlaaddj.exe	103
PID 4628 wrote to memory of 216	4628	Ehlaaddj.exe	103
PID 216 wrote to memory of 1312	216	Eqciba32.exe	104
PID 216 wrote to memory of 1312	216	Eqciba32.exe	104
PID 216 wrote to memory of 1312	216	Eqciba32.exe	104
PID 1312 wrote to memory of 780	1312	Ebeejijj.exe	105
PID 1312 wrote to memory of 780	1312	Ebeejijj.exe	105
PID 1312 wrote to memory of 780	1312	Ebeejijj.exe	105
PID 780 wrote to memory of 784	780	Emjjgbjp.exe	106
PID 780 wrote to memory of 784	780	Emjjgbjp.exe	106
PID 780 wrote to memory of 784	780	Emjjgbjp.exe	106
PID 784 wrote to memory of 3456	784	Eoifcnid.exe	107
PID 784 wrote to memory of 3456	784	Eoifcnid.exe	107
PID 784 wrote to memory of 3456	784	Eoifcnid.exe	107
PID 3456 wrote to memory of 1380	3456	Fbgbpihg.exe	108

C:\Users\Admin\AppData\Local\Temp\a6f8a65d065a3cd88ea6097a59eac421e43d821f226f08d161be31869f434d29.exe
"C:\Users\Admin\AppData\Local\Temp\a6f8a65d065a3cd88ea6097a59eac421e43d821f226f08d161be31869f434d29.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\SysWOW64\Djnaji32.exe
  C:\Windows\system32\Djnaji32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\SysWOW64\Dllmfd32.exe
    C:\Windows\system32\Dllmfd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Windows\SysWOW64\Dcfebonm.exe
      C:\Windows\system32\Dcfebonm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Windows\SysWOW64\Dfdbojmq.exe
        
        C:\Windows\system32\Dfdbojmq.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        24⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        28⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2340
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:380
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        35⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        36⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        39⤵
        Executes dropped EXE
        
        PID:3956
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        41⤵
        Executes dropped EXE
        
        PID:1304
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        43⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        45⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        46⤵
        Executes dropped EXE
        
        PID:244
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        47⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        48⤵
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:740
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2684
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4448
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        56⤵
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        59⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        60⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        61⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        64⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        65⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4408
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        67⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        68⤵
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        69⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        70⤵
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        71⤵
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        72⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        73⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        79⤵
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        80⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        81⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        82⤵
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2672
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        85⤵
        Drops file in System32 directory
        
        PID:804
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        86⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        87⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        88⤵
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5132
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5172
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        91⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        92⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5400
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        96⤵
        Drops file in System32 directory
        
        PID:5444
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        97⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        98⤵
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        100⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        101⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        102⤵
        Modifies registry class
        
        PID:5720
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        103⤵
        Modifies registry class
        
        PID:5764
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5852
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        106⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5944
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5992
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        110⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        111⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        112⤵
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        113⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5276
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        115⤵
        Modifies registry class
        
        PID:5380
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        117⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5596
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5712
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        120⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        121⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        123⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        124⤵
        Modifies registry class
        
        PID:6064
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        125⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5352
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        127⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5988
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5280
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        134⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        136⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        137⤵
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        138⤵
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        140⤵
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        142⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        143⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6332
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6380
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        147⤵
        Modifies registry class
        
        PID:6428
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        148⤵
        Modifies registry class
        
        PID:6476
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        149⤵
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        150⤵
        Drops file in System32 directory
        
        PID:6556
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6604
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6648
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6688
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        154⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        155⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        156⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        157⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6916
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        159⤵
        Modifies registry class
        
        PID:6964
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        160⤵
        Modifies registry class
        
        PID:7008
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7052
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7096
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6164
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6216
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        167⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        168⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        169⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 408
        170⤵
        Program crash
        
        PID:6660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6496 -ip 6496
1⤵
PID:6612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcfebonm.exe

Filesize
78KB

MD5
90610074cea1cedd8bc18fcdbb1ecbb0

SHA1
6bd872350530b2fdc8f5851a8be127cb72d90388

SHA256
627d7d1f8e9fce954887993b3dfdcf4c7f04c02d6bfdb56b097be603cb077320

SHA512
410d7b4ed70caa3664d45af910917d2852e0cc65ab5bb1f652d8f99f357fd065a765921a1cc2710189e928222030feee7d82d46f3ba043d04c2b2648587d3209

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
78KB

MD5
2508cc1ec04b02c91da5e23a36d75900

SHA1
f659547196157f6dce0a6e6939971e6c9aef1090

SHA256
1dba5c2ce1c2291e0cb395e7e8c8cdbe7ab2351414ad33a4133e183ce23a9f7e

SHA512
afbc67cfaf09049833ce08af51ec2c5aeb2cc781f7cc5ffc7bc0dbf88cbd52babb68b81941f16a37ecf525b99d0af7231c52e570d8a29330e5c57a6beaeb93e1

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
78KB

MD5
5ef2dbe2b123d2d6fc61332bc18bd4b9

SHA1
2f6a2eed7f1d04c57b4b75f6628a9935de896d7b

SHA256
d92ccc1d8d109e5538c3dc8af34c87f46f01d64887a6028b2cab7125312e1dfb

SHA512
122e3be74cdd4b069cacdc2cb7c62ef0929e6a396764714c2f8ece3ad530193fed5ba79b33670424aed6e2eebceeeda12fff4a2368b512f8571e51c472995312

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
78KB

MD5
10af397c13c116412f68149711431428

SHA1
59c7af08a6b121831c4631ca5f253d62ba017cb2

SHA256
4e7e59940f7b5362da457821f9528e9a085f4312e01319b813c473299bd7d93c

SHA512
f21b1ed12e8828f1ec00d5da0d08aee6e61df12829839a40fbd375e579c4699d218a6cc723507c2aafcaa903ee7c5b88add284f2f53f687c8af79b2bb42ccd62

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
78KB

MD5
8d89742cd7e13def91366d0a495363a7

SHA1
fab29c87527ff4ebefe640e67b68b6195d965b82

SHA256
d69bbad1d47b45593b6bcdc0b3b00e7c93958819b034a58ef638422f935b5f2d

SHA512
3404a8b00db09a8aa6de73328037ec3c3324d56fa10573ff7bdb052cbd4420f927a3d28a5ef23f67595c858d49b1cee544c2600647bcbdd6d6c0d9daa93de0b6

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
78KB

MD5
2252e24a9be3fe89d3e839307fc95fb0

SHA1
2b498d667372c9dc2cf8b794257171f9e233f555

SHA256
082317e3a99e9f23a1295438759ffdc1aee34f101b9a7927441d27a0b3e32180

SHA512
4912ac52ff791371408ae6c468cdca1328231ff24374de1dd77ab56d8e4db0a2b533addeca4f941006f3aeff71d78c2d21dfb85bb30d975466de175608336835

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
78KB

MD5
29ef60211eeee4a4488fe380c9efe995

SHA1
a2a28568cde31f14e2d4f894574b09e8f6676235

SHA256
8fb06872ec6dd6553d9fe0cc7b79f693ef85a35247912e4a5204e3a5f3c7f182

SHA512
2e6a263aa5b5eb6cd5070bacfe306d55f0302e9ce9cca617313c95671b5b187d91d60bfb858d1f7167dd5b765180959c0522714186b4133b204cdcd67af0a23b

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
78KB

MD5
e366d7641c49e1797b5aa24f795f1612

SHA1
bb2001dc48f760d85c1393bc8631be43a93f684f

SHA256
10f3a99df6ae5a6f9e220b9b1929d1e590c0d85c56b80e519ae5dd66ed1af29a

SHA512
b808060c7d7ccdfd58dd38eecf8b829a5b5c96967da3075084e56c91900d221f9bb9d287c3dc18802f05752ba6e06e60234a2a91ac84389b793ce592143ae8d2

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
78KB

MD5
830597a3aeeba480bff98d4a35de1cdb

SHA1
944d3f95cce263f8e2f50092e9a3a130f54d8a20

SHA256
d7e42aa4d1b426d7805d840b3866e237246f118950e7a5be6760d850a3d74b8e

SHA512
0596147e66b82b28ec5e16a7498c96fb5efeea31faa250a93e790aa16b05311af5820bc6418a367afbe342a1acbc6fe70e2f3dbc07b8e40e37bcf43d9f13ef99

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
78KB

MD5
c1b13adff428d765220d7118dbe9c7b2

SHA1
c076e6556faff7baf4d1894a7553f347a4e813c9

SHA256
d29b72110f656f853e6db0165a83875e231f9887cafe6d5cb15ec4f027166cf6

SHA512
f609499e6e4e8698b4832107254b7218e380935b0d8ac6e12d828b6a186dfd4dabe0366f226d16433fa1bf6f99d301c7890396d9fdfd71ed260a9adfb02f92f6

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
78KB

MD5
69c00c2a111a78f8ed2e43e5bf239dae

SHA1
a6f52d41544e2b6b00b5b55323dbac311b313029

SHA256
4ead50f33e9f9e6b0e3626d4fc344a829164924e971fd137c62fd31f8e9ee955

SHA512
3c8ee3697d455b8cbfe7015936945a6a8c4ef8f35aed55b2145c160969074a2a3c54d37d8fa28f426822a75a050124d1c6e781e4ccb5d4e1b77b6a47d9b0d756

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
78KB

MD5
41ef52f42bf9d12cddd23867dfb7d2e8

SHA1
43b600ec3e66f0e59a01a8bbf10ac13e8637863d

SHA256
265c6405015d95e9535806d5493058b476488a3f55c6698ed180c42392061a05

SHA512
9bccb59d3aaf87a2e70fc1a76d32c4cb7424782046e248b6d5771d391c9e8e9e809ba2402c715efdf90a4d84717e029eba911021edfafdb6f8888e84fc87a8c7

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
78KB

MD5
67a3f09216ed11c7de250917e4368ab9

SHA1
6d450e8c582be9e5ce647f9b657c9f43e9e908f1

SHA256
f32e04ad8c6f4f9146264a69199e42738bce86ffdec2a927f03862c0e98fac98

SHA512
9a5f0507419170060d8d027f2a4c75dbfffc6a46a147ad6d3d313df4f1a382a30c9fc0f8021a6fa9437979dd20a7b5de64ddc2dfd6e4d169c68fad7faebc0af7

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
78KB

MD5
5c2c15cb8f589f1dd3e4b916eb070469

SHA1
a8ec56f5c81011a35add516e24c1c4543d32dd84

SHA256
2109b0ee9aa7b9241b03abfa719ccadb6d12d537552661f1769e575bd30c132e

SHA512
fce0a69537cb0d3eafdf8990393c33a92b14ae0769fb0ea8e37da1be4fe8065fd921fab5b0a4c3064fe6166c0c472da5d64a8814c70dbfa6bc35605eb76ba8bd

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
78KB

MD5
74ea531e7c4563218a3c3fd55afe8a79

SHA1
6cecbf6551faa17befee0ff3e571fbff0c7d787c

SHA256
4b84fa7ce06005fdbb8e18959f888e427056b6442c89b8e286048d132e6627c9

SHA512
b4209dc1b8de788b47d479d1805985bc3c8517d93cb5a8a4dde36b11ac03592002ed3439787f05fa67678183ef81e3f5548b10d517088933e3abf6647e7e9f09

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
78KB

MD5
7b664603b5bfa75b572bf90990c12a1b

SHA1
c6383912264840a5b7153b382243d6d7ab63dfaf

SHA256
684106caf2ec8a8ccfe294b4d603a6761313cff0abefaaa49859439f0f408580

SHA512
61fde6a1a89a7eba87cde7ba5511d67c24e9b7eea28931e1d6416e199e16fe7d67e45a8d596f7871448610bd6093dcd1c6cab793cb53b459e39ff6fa080107fa

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
78KB

MD5
2e42ab8887e98f939ce84068af76687b

SHA1
7b2a16ffd9415f8073c9b664e11ca01409c01d39

SHA256
46e793130524ab02da60fc9a6e2adbe3aa5021fecc70b6bc466d76edc55e8bda

SHA512
f5b6173954d20a94e7d9c224a750e37bcbd6f97b4c7f387d3bbf44875d16215219c126704cd6bc49247096bef33ccd56bd286daf0e750806ee408fbcc84ab274

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
78KB

MD5
7334c047f37630a1f9a89df5ec44a508

SHA1
8f901cfeb3d137f1df97344f10938407381aa686

SHA256
256b5bc6bd33c1199778ddbedf3b9eb5f89cf7961f6659853a84309588c3abc0

SHA512
35424868ff1a167ed21782986aef8823d0da54a5c7947b6fbfbbd767b163c0996541641ac8c75ecc6102caa1eb4585bcf0dc6b68bb0408bcfa2c9125cb4f5e63

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
78KB

MD5
b814cb885ac9114345b21765e9b6f582

SHA1
06380bfb72cba7251e9f14585dc207c10e1fbd38

SHA256
85a0e6a4a3aed00a04c03b1b4c8e9f2105cead2d817a9094c272f355143e97c3

SHA512
7be62f431928b71833795b58e255fc0e80c49b22f9c37827dee1791ae01c76b3805eb9323a2308e107aa67127e68719db09e6445fab049ef9d2e61b8ca587079

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
78KB

MD5
c52e22f2ca83c10f2d52d88bbc572317

SHA1
a095f7d112e39540be33693da26fba5d157ac693

SHA256
00dea5b868f5341679eb5a06cf5ed1c61314db607a640ff6909a0765748d5854

SHA512
1aa9e07d0ca7ed874cf0c1a68ddcea12b0f66637a9a63e3678ea3dc36495a08bf0affb6a8c19bb0bbaa7e83be0b13b37a47c12fea9661e85045672b00da3e7c4

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
78KB

MD5
569b4f63d88e92fb28e87964e21f8762

SHA1
3ce17d0c8d36b5b7c7f200be1591fd4c9660c958

SHA256
bfe0b27a6363b576f9d90bb4cb2bbc37b6e7283f517864b3f7a2de96ec0cbb89

SHA512
05303fa3c659de7a4554efa61ee8838d1b9a82944b8fa49c07172c3410062e614eb875b04d558be6f05c1bed5cea1a04c04c07bcae41bb918bdcef36004ba73c

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
78KB

MD5
4ee5a442d8dee5b12106bd5cd87031e0

SHA1
051c787132b325436d2cd9d2ad157ddc6228ec00

SHA256
35568b15d96c2b57640d8b25db6bf1d09278b675b4b276d2d40e79bc0218c20a

SHA512
07facb2a42b3a6131ac05b1528d8b57975967635ed4c2cc558389a906ee815275d94a31009ee19446b52fdb93d18509524e15bac91ffe5aac7bef1715e6424cd

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
78KB

MD5
520ca80a188927427bea054a87dd0f16

SHA1
a11237b5c4f3e7ad430d7b1aea191ed4a5d245cf

SHA256
eb93ec3f0e8999dabd842a7d74f819bd2e406eb5dfc21a979e9c9234aa0f567c

SHA512
a15749adf70cb48746086b204c7a76e194c46919fbed16de6adec0b1b506d3f66069efb7741bc9168179603d5c12d71a79e1821c8e4a6123fabfbb387369b4e1

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
78KB

MD5
f1eac18cee2337f38268e712d92cf22e

SHA1
4fba4cf3607114dafd0abac50c4c6ed280b6beba

SHA256
a8bc020217faf046cb48595d660652537ec0c91f23eacf35341e48accea64c77

SHA512
54e693a40c5af48f1f3bbe4f6a70addd2f8bf177d582e596f3e48db97e644643791f1e49435d9fc4f0978eedec61ec4680320aa583bdb8f82f8134ba8f37b187

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
78KB

MD5
b9b6394f08d5d3664f002cc116a4aac5

SHA1
5b9f682573837962b9b7dd23deacfc081d8bc95a

SHA256
2fac1f768cdd5d8f551fd7d82764acf44b33e0e4d557fdf53a1ec0fb6d90b420

SHA512
8d2e8ededf71db1d34fe2a98ae56c5c9b26c3d6b4381798abec417c9a2c26075ffc749f21d5bb398ac0538db54e24d884a4ff84816e4009c5907fba7f3f90692

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
78KB

MD5
1b301fb7f68211b7ea205f40261c757a

SHA1
0d0807518db96ca8444f4321cd0f7645793aa302

SHA256
ca20c0b70a4de6313781a1dce244b7cec70bd0989d605345a64704dfe10a6f3d

SHA512
81d41487aa1c805dcf443f3c9556c9e367b3d438bfd59800564cee28c0d5b0cddeaa1b7b6d0e49dd4b429623d1dbe8ed7822e7e5522b5da8891aa1123cd4d2b2

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
78KB

MD5
081894d42bd4c8e2d00fd27ea9e6b3ab

SHA1
aa4ca453cd7c04ea916f125c8e8fe678eceb4c63

SHA256
6f1aabf9cc23d0b4ee08bdcb9a36e8f8077573593df1c13f3ac1b651fa373906

SHA512
8c824a1af6ee62eaa8ef90a9e7f612d9f8a0e5d5ce1c5c0f980362060ddc3c3dcca44673ece86b840ce54f73346bfc08482b4634059d3c7d24487ccc4ffb0274

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
78KB

MD5
561ca8bde101766972684dd0f92b6015

SHA1
740cbbcc583512c5d8f674144685fc04898065d9

SHA256
7da95edf8b04376f824855c4fa7f3839e98012407ed5fa078f043a66483df6f6

SHA512
8a395d51d648198e52a76d9a7019e095f475fb88e9b2487de46071a5bf831933d32c07bf4c65cb7242b07f8196511a035c0b6c1aeae7b97dca39bf62a6981e11

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
78KB

MD5
dd4720677c2fa62d8ab3ea5456e70bda

SHA1
a8bdc0f2ba01b7db7890323bf4417ea069f328ee

SHA256
a3da5c08bb510a1ea3835a80f901fff2d9fdad5f936f15773fd7d0b35de4e010

SHA512
c6839db6b78a6dfce5378f584414694fc8ca82a05ce34caaa7f526d032e9deadcff9a885775d914d1ae164cfabd9c45e5997922a39df19edcabdf9bf500bab1b

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
78KB

MD5
47d0075ca7c24310e5ffcfe7a052b792

SHA1
4d7949cdf22b57fbdd26a021db3f25b57194c2bb

SHA256
13a018cd7682dc533adcafa3a4cdbc7047cd4fd80dde1f9a757306a276261e85

SHA512
fe3df1ffbd8b74aa0db8305f34e732e08d03f95cf84ce0e08e89f6575d6a8a4a5aae66b185136ce67b436dfedd912623a562748f5f03b8c014e894de6141e79a

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
78KB

MD5
516df4f2f4a5362b05a8c37c2a071278

SHA1
561f715b13e77328b5b5127aa3889a5e00605f10

SHA256
ec45706d2c08c7794f3965686bff20b16a1ccf0a85cbf713f1089f4ef9758f59

SHA512
06958c41f42034b0be2091da08b9e6084403fcd3eada7cfafe9bcb5abefaa9eb6cc1c714cb95cd03d624c456e31384db6de15a14751dedf9a09968ca315255ee

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
78KB

MD5
530e3aa79aa4d355910343600c1a498b

SHA1
5d6f3d4986d52254561c0d17abc924e32b85d4a6

SHA256
e1a608f6279f8c7e502f12d6801f8a6107fdf2462dace4c990e4b627e9a30a1c

SHA512
395159c56a8d822d22cdba2bfd20d724fae42bcc94f119bed4a8ae914061ecc7818fee5e36dfd5806c235fdd89c2a04f4a57e28e805d402d14379d25e4060af8

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
78KB

MD5
32df6e536e144d8d7cf6c3c783128c04

SHA1
08912c4d65d0bad819501dae56f19c4aa767d50c

SHA256
e63febe47307778110c20fe4247610ead441e4f6b6c3ca81da142915bc8d3530

SHA512
d2969efd9dc4bf3cbf4c6ceaa1731ab291b399769a9c4c52ca82841ff9ed7c6900cc284262766fd7bf6fe48df46ed9881437a06146452f91e6a63a5318a0621e

Download Submit
C:\Windows\SysWOW64\Ibagcc32.exe

Filesize
78KB

MD5
4c121a981873bd6caedc869f6d7e72b9

SHA1
5a9f1b58d6a3d8fd8cd4f94596b2e79132c66feb

SHA256
14a840a8ba03143cf05085f6c76639138dc21be4544e861910ab6cecbdf1a6ad

SHA512
07c35093552e7c10c51b81ddd66b188adb963e18e78bf734362203f478471efde2968fc568b2643e3e0905baae2e598a3b0e7abbca25b70e45c17ec9d1ef60ef

Download Submit
C:\Windows\SysWOW64\Jdjfcecp.exe

Filesize
78KB

MD5
bb76059a55e2e50bcd3020759aebae92

SHA1
56fee695af109ccf3f0b19d3210c3300af749b16

SHA256
695d5c6afe2f21fe44498acc7e1e38d93f221416b223f419a65861ba05eb98af

SHA512
8b48089bd566aaa6fdc72fca0ceac2bd4873342c56827209deb5b4d70ac842eaacd536c251d62c2851789178bc2be1d36a4b8844eb6dc5d9c68af2df21a874b7

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
78KB

MD5
3ca7709ad512d1855ef864dbc7db7d8d

SHA1
4217061b552e0c1a275a30f83bc1a5d52e9d9c16

SHA256
7f1b7810941719848b53b65ff90a0e6d8c3137278cc8a04b0f6aaf1a241f063a

SHA512
077048b7dfe92b9161f661abc0afef7f04a43c3dd38180c8f7726091122a1e18e83b9add6ca0d492867a15b71fc767dc585e2d77688d3f5d8831943a3cc72840

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
78KB

MD5
c1ed00b1e6f78c18982cda4343a624b5

SHA1
19f58dc77626a347415cc02702f521972d6463f8

SHA256
f631b24d8f1768f96bd2063c7234034c9d60f163f6a81c395a164bf82b847fcb

SHA512
1761272830b229e50c13ecb73cfd0ef533f23e50d68cb470acc6d1195af34f1d3942407641e6287e95c2a44bcb1c615d8f09b38afaed34fc2fbe5af4e5284273

Download Submit
memory/208-533-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/216-141-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/244-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/380-263-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/584-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/584-558-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/668-572-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/668-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/712-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/740-359-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/780-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/784-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/804-573-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/808-585-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/812-550-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/916-303-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/964-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1124-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1248-491-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1304-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1312-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1340-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1348-329-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1380-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1424-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1720-447-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1756-504-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1872-559-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1900-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2040-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2052-586-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2052-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2056-449-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2060-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2140-405-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2204-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2212-539-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2224-514-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2340-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2672-566-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2676-377-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2684-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2736-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2740-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3116-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3212-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3216-545-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3216-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3216-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3368-222-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3408-479-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-173-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3572-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3656-489-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3704-531-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3860-579-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3940-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3956-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-597-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4000-519-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4004-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4036-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4140-429-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4188-399-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4256-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4340-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4368-413-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4396-393-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4404-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4408-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4448-371-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4552-291-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4584-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4628-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4632-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4652-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4656-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4676-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4676-565-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4712-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4792-200-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4888-587-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4892-497-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4900-471-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4908-557-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4976-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-423-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5060-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5080-521-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5132-599-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads