423dd433eb088894ec0dd693e648f4442978f968458aead31d7a68b114c5ec90

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 01:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1ba0b9513d176b51cd7c57817d6f6330.exe
Size

96KB
MD5

1ba0b9513d176b51cd7c57817d6f6330
SHA1

e62ab3163bb014069b2f510b48d2f963babfc983
SHA256

423dd433eb088894ec0dd693e648f4442978f968458aead31d7a68b114c5ec90
SHA512

97a75f16928878fe5cf143325d2825354b1ea00cf4cc5ceade1c9a8574d1e245325e48855baf5591efdf23bbc472652b3116346a0ad8054384b91644f19623e8
SSDEEP

1536:JZC8TTiw0hHxjDQzvydYS/cpXzOg8gxu46YVcdZ2JVQBKoC/CKniTCvVAva61hLR:Jk8fwq7ydYakzO6xu4TVqZ2fQkbn1vVo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehekqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fifdgblo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epmcab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebnoikqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbdmpqcb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1ba0b9513d176b51cd7c57817d6f6330.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphifcoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dakbckbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Impepm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjocgdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe

Executes dropped EXE 64 IoCs

pid	Process
1596	Debeijoc.exe
924	Dllmfd32.exe
2840	Dphifcoi.exe
3532	Daifnk32.exe
1128	Dhcnke32.exe
972	Domfgpca.exe
228	Dakbckbe.exe
2648	Ehekqe32.exe
5096	Epmcab32.exe
4040	Eckonn32.exe
4056	Ebnoikqb.exe
4024	Ejegjh32.exe
2212	Ehhgfdho.exe
3460	Ebploj32.exe
2160	Ejgdpg32.exe
5044	Eodlho32.exe
3748	Ejjqeg32.exe
4488	Elhmablc.exe
4944	Eofinnkf.exe
4612	Ehonfc32.exe
4856	Eoifcnid.exe
4192	Ecdbdl32.exe
3008	Fjnjqfij.exe
4524	Fqhbmqqg.exe
4904	Fcgoilpj.exe
3564	Ficgacna.exe
3968	Fqkocpod.exe
3704	Fcikolnh.exe
5032	Fifdgblo.exe
2452	Fqmlhpla.exe
1812	Fckhdk32.exe
4836	Fbnhphbp.exe
4128	Fmclmabe.exe
2560	Fobiilai.exe
556	Fflaff32.exe
3216	Fijmbb32.exe
1088	Fodeolof.exe
1704	Gcpapkgp.exe
3612	Gfnnlffc.exe
3204	Gmhfhp32.exe
4780	Gqdbiofi.exe
1100	Gcbnejem.exe
716	Gfqjafdq.exe
4728	Giofnacd.exe
760	Gqfooodg.exe
1208	Gcekkjcj.exe
4304	Gfcgge32.exe
2824	Gjocgdkg.exe
780	Gmmocpjk.exe
1336	Gpklpkio.exe
2528	Gcggpj32.exe
1628	Gfedle32.exe
848	Gidphq32.exe
4428	Gmoliohh.exe
1196	Gcidfi32.exe
3296	Gifmnpnl.exe
452	Gppekj32.exe
3448	Hjfihc32.exe
3760	Hpbaqj32.exe
4252	Hfljmdjc.exe
720	Hpenfjad.exe
4556	Hbckbepg.exe
4584	Hjjbcbqj.exe
2120	Hadkpm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ifjfnb32.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Pckgbakk.dll	Imihfl32.exe
File created	C:\Windows\SysWOW64\Ehhgfdho.exe	Ejegjh32.exe
File opened for modification	C:\Windows\SysWOW64\Ecdbdl32.exe	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Gfnnlffc.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Imbaemhc.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kphmie32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Fifdgblo.exe	Fcikolnh.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Dphifcoi.exe	Dllmfd32.exe
File created	C:\Windows\SysWOW64\Jmpngk32.exe	Jfffjqdf.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gfnnlffc.exe
File created	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Qngfmkdl.dll	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Epmcab32.exe	Ehekqe32.exe
File created	C:\Windows\SysWOW64\Ecdbdl32.exe	Eoifcnid.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Jokmgc32.dll	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lalcng32.exe
File created	C:\Windows\SysWOW64\Odhibo32.dll	Gjocgdkg.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Kdffocib.exe	Kmlnbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Gagaaq32.dll	Ejegjh32.exe
File created	C:\Windows\SysWOW64\Kncfca32.dll	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Debeijoc.exe	1ba0b9513d176b51cd7c57817d6f6330.exe
File opened for modification	C:\Windows\SysWOW64\Ebnoikqb.exe	Eckonn32.exe
File created	C:\Windows\SysWOW64\Ogedoeae.dll	Eoifcnid.exe
File opened for modification	C:\Windows\SysWOW64\Giofnacd.exe	Gfqjafdq.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gcekkjcj.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Gqfooodg.exe	Giofnacd.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Qnoaog32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Hfdcbdnc.dll	Ebploj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6448	7092	WerFault.exe	273

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbppbgjd.dll"	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhcnke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpklpkio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgjkamf.dll"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knceql32.dll"	Dllmfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llebfo32.dll"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibpam32.dll"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplmmfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdiihjon.dll"	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdghlnlo.dll"	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehhgfdho.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1596	1832	1ba0b9513d176b51cd7c57817d6f6330.exe	82
PID 1832 wrote to memory of 1596	1832	1ba0b9513d176b51cd7c57817d6f6330.exe	82
PID 1832 wrote to memory of 1596	1832	1ba0b9513d176b51cd7c57817d6f6330.exe	82
PID 1596 wrote to memory of 924	1596	Debeijoc.exe	83
PID 1596 wrote to memory of 924	1596	Debeijoc.exe	83
PID 1596 wrote to memory of 924	1596	Debeijoc.exe	83
PID 924 wrote to memory of 2840	924	Dllmfd32.exe	84
PID 924 wrote to memory of 2840	924	Dllmfd32.exe	84
PID 924 wrote to memory of 2840	924	Dllmfd32.exe	84
PID 2840 wrote to memory of 3532	2840	Dphifcoi.exe	85
PID 2840 wrote to memory of 3532	2840	Dphifcoi.exe	85
PID 2840 wrote to memory of 3532	2840	Dphifcoi.exe	85
PID 3532 wrote to memory of 1128	3532	Daifnk32.exe	86
PID 3532 wrote to memory of 1128	3532	Daifnk32.exe	86
PID 3532 wrote to memory of 1128	3532	Daifnk32.exe	86
PID 1128 wrote to memory of 972	1128	Dhcnke32.exe	87
PID 1128 wrote to memory of 972	1128	Dhcnke32.exe	87
PID 1128 wrote to memory of 972	1128	Dhcnke32.exe	87
PID 972 wrote to memory of 228	972	Domfgpca.exe	88
PID 972 wrote to memory of 228	972	Domfgpca.exe	88
PID 972 wrote to memory of 228	972	Domfgpca.exe	88
PID 228 wrote to memory of 2648	228	Dakbckbe.exe	89
PID 228 wrote to memory of 2648	228	Dakbckbe.exe	89
PID 228 wrote to memory of 2648	228	Dakbckbe.exe	89
PID 2648 wrote to memory of 5096	2648	Ehekqe32.exe	90
PID 2648 wrote to memory of 5096	2648	Ehekqe32.exe	90
PID 2648 wrote to memory of 5096	2648	Ehekqe32.exe	90
PID 5096 wrote to memory of 4040	5096	Epmcab32.exe	91
PID 5096 wrote to memory of 4040	5096	Epmcab32.exe	91
PID 5096 wrote to memory of 4040	5096	Epmcab32.exe	91
PID 4040 wrote to memory of 4056	4040	Eckonn32.exe	92
PID 4040 wrote to memory of 4056	4040	Eckonn32.exe	92
PID 4040 wrote to memory of 4056	4040	Eckonn32.exe	92
PID 4056 wrote to memory of 4024	4056	Ebnoikqb.exe	94
PID 4056 wrote to memory of 4024	4056	Ebnoikqb.exe	94
PID 4056 wrote to memory of 4024	4056	Ebnoikqb.exe	94
PID 4024 wrote to memory of 2212	4024	Ejegjh32.exe	95
PID 4024 wrote to memory of 2212	4024	Ejegjh32.exe	95
PID 4024 wrote to memory of 2212	4024	Ejegjh32.exe	95
PID 2212 wrote to memory of 3460	2212	Ehhgfdho.exe	96
PID 2212 wrote to memory of 3460	2212	Ehhgfdho.exe	96
PID 2212 wrote to memory of 3460	2212	Ehhgfdho.exe	96
PID 3460 wrote to memory of 2160	3460	Ebploj32.exe	97
PID 3460 wrote to memory of 2160	3460	Ebploj32.exe	97
PID 3460 wrote to memory of 2160	3460	Ebploj32.exe	97
PID 2160 wrote to memory of 5044	2160	Ejgdpg32.exe	98
PID 2160 wrote to memory of 5044	2160	Ejgdpg32.exe	98
PID 2160 wrote to memory of 5044	2160	Ejgdpg32.exe	98
PID 5044 wrote to memory of 3748	5044	Eodlho32.exe	99
PID 5044 wrote to memory of 3748	5044	Eodlho32.exe	99
PID 5044 wrote to memory of 3748	5044	Eodlho32.exe	99
PID 3748 wrote to memory of 4488	3748	Ejjqeg32.exe	101
PID 3748 wrote to memory of 4488	3748	Ejjqeg32.exe	101
PID 3748 wrote to memory of 4488	3748	Ejjqeg32.exe	101
PID 4488 wrote to memory of 4944	4488	Elhmablc.exe	102
PID 4488 wrote to memory of 4944	4488	Elhmablc.exe	102
PID 4488 wrote to memory of 4944	4488	Elhmablc.exe	102
PID 4944 wrote to memory of 4612	4944	Eofinnkf.exe	103
PID 4944 wrote to memory of 4612	4944	Eofinnkf.exe	103
PID 4944 wrote to memory of 4612	4944	Eofinnkf.exe	103
PID 4612 wrote to memory of 4856	4612	Ehonfc32.exe	104
PID 4612 wrote to memory of 4856	4612	Ehonfc32.exe	104
PID 4612 wrote to memory of 4856	4612	Ehonfc32.exe	104
PID 4856 wrote to memory of 4192	4856	Eoifcnid.exe	105

C:\Users\Admin\AppData\Local\Temp\1ba0b9513d176b51cd7c57817d6f6330.exe
"C:\Users\Admin\AppData\Local\Temp\1ba0b9513d176b51cd7c57817d6f6330.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\Debeijoc.exe
  C:\Windows\system32\Debeijoc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\Dllmfd32.exe
    C:\Windows\system32\Dllmfd32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Windows\SysWOW64\Dphifcoi.exe
      C:\Windows\system32\Dphifcoi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\Daifnk32.exe
        
        C:\Windows\system32\Daifnk32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3532
      - C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        24⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        27⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5032
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4128
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        35⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:556
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        41⤵
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        43⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        46⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4304
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        50⤵
        Executes dropped EXE
        
        PID:780
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1336
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        53⤵
        Executes dropped EXE
        
        PID:1628
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        54⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3296
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        58⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:452
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        60⤵
        Executes dropped EXE
        
        PID:3760
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4252
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        64⤵
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1456
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        67⤵
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        68⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        69⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        70⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1112
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3336
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        73⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        75⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        76⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        77⤵
        Drops file in System32 directory
        
        PID:4468
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        78⤵
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        79⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        80⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        81⤵
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        82⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        83⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        85⤵
        
        PID:976
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        86⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5016
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        88⤵
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        90⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        91⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        92⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        93⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        94⤵
        Modifies registry class
        
        PID:5352
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        96⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        98⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5580
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5640
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        101⤵
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5744
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        103⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        104⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        105⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        106⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        107⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5232
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        111⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        112⤵
        Modifies registry class
        
        PID:5364
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        114⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5576
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5776
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        118⤵
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        120⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        122⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        123⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        124⤵
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        125⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5884
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        128⤵
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        129⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        130⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5952
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5212
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        133⤵
        Drops file in System32 directory
        
        PID:5476
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        134⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        135⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        136⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        137⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        138⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        139⤵
        Drops file in System32 directory
        
        PID:6196
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6240
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        141⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        142⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6360
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        144⤵
        Modifies registry class
        
        PID:6412
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        146⤵
        Modifies registry class
        
        PID:6504
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        147⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6548
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        148⤵
        Drops file in System32 directory
        
        PID:6592
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        149⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6680
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        151⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        152⤵
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        153⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6864
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        155⤵
        Drops file in System32 directory
        
        PID:6904
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        156⤵
        Modifies registry class
        
        PID:6944
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        157⤵
        Modifies registry class
        
        PID:6988
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7040
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        159⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        160⤵
        Modifies registry class
        
        PID:7136
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        162⤵
        Modifies registry class
        
        PID:6228
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        163⤵
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        164⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        165⤵
        Modifies registry class
        
        PID:6452
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        166⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6600
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        169⤵
        Drops file in System32 directory
        
        PID:6736
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6808
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6956
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7020
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        174⤵
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        175⤵
        Drops file in System32 directory
        
        PID:7164
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6208
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        177⤵
        Drops file in System32 directory
        
        PID:6348
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        179⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        180⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        181⤵
        Modifies registry class
        
        PID:6860
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        182⤵
        Drops file in System32 directory
        
        PID:6976
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        183⤵
        Drops file in System32 directory
        
        PID:6380
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        184⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7092 -s 408
        185⤵
        Program crash
        
        PID:6448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7092 -ip 7092
1⤵
PID:6276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
96KB

MD5
2ab139a8cccbf03b5af9940bd541771e

SHA1
a06c5e519283b0f63263f566ff7215adbe94b3ae

SHA256
9dce55077b922338f5fc29b2bbd390aa3c980560112111f8ca13471874ee05d6

SHA512
f9a94c94a274776f0f552b8e7049812896c511fab3c0e53c0990b1373c2d49a270fe93db002a38064b40500388be17e2230263216844b46b1bb08f70cf93756b

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
96KB

MD5
8e64bb5e07c7dd0c22ef7958f53585bf

SHA1
95f367212b984df1eb1691edd24271a0850699dd

SHA256
ea5713a4a0bcbea078ea20e4ee51166dda64b0d5cd6df9164a2324542444a87b

SHA512
b1fc229275a9922dc79833759bd988d433eb374110366fef802094028964b1ed0e62d567a081bfe3c583730013306c94b44547fe2be995cf3a2a3ce12c8a9f42

Download Submit
C:\Windows\SysWOW64\Debeijoc.exe

Filesize
96KB

MD5
6f1316aa7207eb94e4bc58044feea37d

SHA1
e4090fa12562da0f28c49a2335ed0a1e57215ba3

SHA256
38064c39e69f7d81797fc61f32e9505415065a1530798f6c3e0c8a52e65832b7

SHA512
4c381e61e8b413717852f36e241bc66fb6fdf75cab185cd04a8da2a7a7f73efbf13e2a10dc2a3112d7ab1da2682ee0fecc17f2a9054641e7ea87f8d0a9d0535c

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
96KB

MD5
c7c43a31ab2bf8a7ff03374d96ad6127

SHA1
1c31a178a26effd2f076a1ed475e87624a5fc5a4

SHA256
33b32e2fd3e78aba38a022671b7e86303bee2da842b1de88cf4b995d3f6838ee

SHA512
bab43a6c6595599bd12bd6fd72b1eb1d60976212111ad89cd955acc0608bcc5b22de0991cd9cd6aa345f01b3924960606921323f6c62601997ef2cd0719ff5ce

Download Submit
C:\Windows\SysWOW64\Dllmfd32.exe

Filesize
96KB

MD5
65d44614b57569fb8af1492e804cd88a

SHA1
191a16a6df114f66b63ee2303a392d3a52ba2b48

SHA256
179108db3fea12596beef65949d80446154826eb67b3cdedba6bbc8c0ac53047

SHA512
59d943cd0dea4ed10d6a8c0b7e4fac9961b70d6aac046033784bfb18d579805e0949bab3b6257efe9a8e3530e9de1f3a627b799df1769eb02c7be488e8eba636

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
96KB

MD5
04ec76021eea3ee9450dc15080e459c8

SHA1
83dbfeee72f2cffec50eb754adb9e1357f9b7cb6

SHA256
47574c3c493d1162835c7ca768074a0ae1e16b49e2124fe30b9811ff627395c9

SHA512
40225bfe3889bb6cbbe0149addb224ea079b11d2fe96929dd3b1885eebdde70f7802fc1c1a2cd4387a196a34831ad3717a2379c7e74131d62b96c3b120b971d1

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
96KB

MD5
a4bc8034e7a1e691c570e395e819878c

SHA1
a7c3f78e84a1a9ee7003ff8cd185a38eac23d6b8

SHA256
bcbeb12b9f6e003d7fac014353d7af277c0a0da0706d884b9066c8f9a8c6fdf2

SHA512
893d736f731ba3488ae4beb1d749a61a2700dc71f8cbf942ebb0072dea7b05986282b8847c00799fc12d1729c87386d74d86d2d5c24c918b95599591836957f7

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
96KB

MD5
220e85f4ea8aa503c9999f7d01ceb403

SHA1
02cf15e13fb4231cf9bd2c9e665d30150e7e51fa

SHA256
27e94aed43ef5d9b1f0aaf96e611617b792ece3d1f2cdeb99c31b0d37532c231

SHA512
6520c6762f1f6d620f0ea42b2b3b3171646a66a380e7af9587d3d9d1048315e8f0a3c254a5b2f4bbf0a0e613c5fa1e74a1adc87d3c2b90be0fdd4231a7c6f981

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
96KB

MD5
c4805eb219b81ebc0509b37adb0e8efa

SHA1
b7b5c482b3ba4f99212fdb0f9318fbaaa07999e1

SHA256
23ea0876f03b5b761c501149f4ff31ff4d21925cc66eace497d11f2922916838

SHA512
1c9ae613a608c5853266b14f4daaa2edefb35253b60e2467d1843542c1bcf65ed32c6805bfc766b0b3920085422a2e2a87de554a100f8ef1fd16d2eec8651bb6

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
96KB

MD5
5c09cba0e722a1217798421b6eb5e21a

SHA1
f92af9fcb6085351195ea8bf103d1a80984af7a4

SHA256
ae73ec7b53a1ac1865af23a7f64c9d29c401f8eef654367385390780ecc0fffe

SHA512
55dcb982825755bae7566e8f7a1715774b5aa0d813f016ee08741468d17bb780c1c9a3f34466a4013089c3e6b43d5d29f4c19bdf70e139d8a22f2a36df760ff6

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
96KB

MD5
c438d378ffec07e2038251dfac0b1d95

SHA1
d314882487d52fbfd2df9bebbafc05393df2cdc8

SHA256
cba34a8c53ba5abb53f5294a3e61521a65ec23b0fa6f25624c5b4d18d7c1426a

SHA512
28d33bedc780d0fc8f19d9fff8fff84240d200302ce86431927a711147506d0073e67db55f928148c0b338f2eff7bbd36f7a3d0a09bffcbc0a0ee7716fcaca56

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
96KB

MD5
a2c329434612f170dfcbbc33038eab61

SHA1
9b08672b85fdd97707209ef8c2545b73221adae4

SHA256
cdf0dd114b0b3a98566ea53f587db08fbee0a41a47ffb4f38c42e3af2cca950a

SHA512
90b9d842b39efbbdfb17fdc133e7788a529e12e1ac7be4b402720fcfc1f605bc32dac31a5b791132779e660a2b755ce28fe0406c2991ab3794505c79567c82bb

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
96KB

MD5
3a858531696a6758a36d97131919a3f8

SHA1
4d0c8ee22db8fb85093c8063d551898f46ef39db

SHA256
a31a7cab9d8b8d2d490368b6c08b1c337d1232cb00ccfe8367f27c59c355a812

SHA512
8af3fbcf6dcdd80e04f6c10e9660ffcb5bfc0d8365ba9ee2fc929d8fb1628fe8a461920c8a63fc4ad792a2cd536a61d337f368a5e0adb3d88d960f42676eea87

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
96KB

MD5
b6a159b167ba44b1041ec21655a14bba

SHA1
f88f4588ef5b68ce16f3f2d59d068e51b187280e

SHA256
290c8eb3e490d493501063d2072f11a7e5c36f9fd5130e4d4f760a0dc09663fb

SHA512
ae6156d2de7f086571ab99d8fa31ff9cecea37ab63f4bc934da4d59fbe9bda0d0ffa43749600097ccff694592acf438f6a6a49b6fdd50d3a7dec3aac39f647b3

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
96KB

MD5
c61fc022afa9f120d3358357c5f80acd

SHA1
4d93f125edbc1e5dbf4f2f3fe428fd831683d0db

SHA256
c534b3a5a134f9047f5708b57e834002ce1b8d91e702220069a7bf005e5de96f

SHA512
41cfaa84bd2250088f088ead190e25a305e70d36000f39b4741d230136d1ae5db4446685f6b239d69a56a0211e71c6d068ab15481e40a6e01712618be0d78d6b

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
96KB

MD5
7134059d8dc5d35923a0b1af223d71fa

SHA1
c0a3be5057578be550c38c5e11a4a85c8a341933

SHA256
7e775b09fc8ffecc14c2b1537fbd6616e8a3c6f2d4a163fcda806e9bd897959d

SHA512
0481c6619dda54b22f6208fc00f1f056f1bbd6b9ce76a83944649981db43358b6df0090961bd8d09aa173ccd2d4500e5027facbcac2f3afd4ecf0b1cef424521

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
96KB

MD5
b7a9938bbc16ed0bbca81ea3fdcc9005

SHA1
a519d99e6d6d404a44382fa62b03325682bf4d2c

SHA256
2bf3975db9e56b5ff684b881876746406bd41703d221f0522a692752913bc2f0

SHA512
ad648553f363789bdd7062a23e3dc1f7823d8dbf8c021d0087a6d6e776ac3c648cdad62535761f73e7b2b448060f591e390a516f8899dd6be194d429903f3bae

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
96KB

MD5
d5e407ebf0fda6c7178141f017a274e8

SHA1
d3496a79ad7c8e66330b187ff3e6cf1603db4623

SHA256
a245362663b6d3b210524364c1075065f58acfbcf3aaf981d292ea62fec8b75b

SHA512
9efa31c86e415d59e3f4257e6a726a72279e145d4901deb21e280fec61de2c3f968a1aa5f983bf2b9dbb3ebb590640e71b2456f52afe31329b462b45e8ad1f5d

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
96KB

MD5
d564895f349099e218a542bd19edf86e

SHA1
47e800315614a83bece85052c3a0c9e5f9149bbf

SHA256
efa634310a6c2a213077d3ee066a7912484b422045e37c6bbb25e38fc60eb8c4

SHA512
5a7279172f8fcc5b39ea6d412ce75b690881c696eb3881a4c335c42a1e0c3f1201378db8fc37542b50bccfe721db7ef77e16bd2d6fbbab4404b35f25dd6fdc17

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
96KB

MD5
be8de17e43ccce553043f8ad9379f393

SHA1
3b0fae49c5085e0dc21cd3c8940c114bfa32139e

SHA256
9565c7c2c595c04464082155f8cebd4c5bd5b4c72e938192cee071066be604a2

SHA512
79e560b64eef3a40838ee42f263fdfa83635960de9d5bf293790388e042616f3af56f00164da3a36f0117cfcc9013dceb24a8d4a105d10ad7437a4b75597243e

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
96KB

MD5
c4808a1959c3880e786b8cac3d8502ae

SHA1
830e5142d819455d41839d8c9cba8a73efacfa4a

SHA256
219ab6b58e312edd38d1bf007a29affdfcc0f329cafff8c579f04b39f1100bae

SHA512
2ed880e57e96b95b9c7709ada850d148de5c9c681b2dbbff3816313c1c6e95c33d63bbc3e2f711b00ef08350c680099ec0dfb4360691dbc8944b8e72c81d0494

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
96KB

MD5
3301e8a7e5dcaea84cbf0630aae19ac6

SHA1
2bf30084d48f06a0e073e86510ead9bbfff575eb

SHA256
1196237035337c844c6a09cf91d96e6d67b98f9c288f4b30f17cea9c13a5f357

SHA512
4d3760460f39ce8c1de4886a1ea25a4b0004f7f4d6e320f67f1572155b67e36a4525e441bcdcceaf3565bd8aff4cc2a507c46a125ce24d5984c58d59080155fc

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
96KB

MD5
48846b03d4cf670c21073735e91db3e2

SHA1
5718f3b1b6104daf09917cd83841171e81d0a697

SHA256
4109436b38139fb469282bef620916c8135f58b40e6af42e63cc4b23f08481a0

SHA512
daf610c3cbb7b7d203ba0211b61d6b5817072dadd1afe974ecbe66e3bf7c52fbc8bbafeba364b753adce7e1c508d493d243c37edff4e0590de98337586341293

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
96KB

MD5
bc49592628cba5a074a9ed3c90af8471

SHA1
9ab443f9b11dad853aa9cd5bc2bd11c61ec07965

SHA256
c3350729b9f45b89ecb9b8c3b9ad5883fb3a198cacfd1e9691d3fcba7c92bfba

SHA512
e31fb3dfa5c3d3222b35b8200da14deba170483de7ef7c487b3a1badeae268ac9d25951f5cf5ee79c35b9508c1e3dd6c75467dc46e0b8d40eaf3b46938278f36

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
96KB

MD5
07181ec418c9dfbf4c3b14d40243494c

SHA1
9075da58ff2348f2ee9d17a49eb602b0c07164b5

SHA256
4547fc367671a1787fb80c4554974a9dca229da23248cc8dbeafcd428ee93e95

SHA512
3b20d21984a9efb46978ef1bc0b7edd57b170227e3b4229b12db4ec3f9b766b792d06111b9fc4b54c3240398d24e36f370b9ef412e72aa4baf61eeb76debc638

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
96KB

MD5
c731ee4d6e4c9e1443f6467edd03a1be

SHA1
d43471362ad5e4193a4ed75754ade1a82d3381a1

SHA256
39dcb121d76fca09b97af337ff46132a25486931d1b48b4fb95005d81d844de7

SHA512
1d5139716d3e2b55ac6b013c21f7d59f634cc3e1cddaea246bce7c8501b5838aca282aaf4b053cc160ab37bafed1fe7834360b119bda7016be25102a026607ab

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
96KB

MD5
74e4a4f3bd6e7ba32a7ba2e8186345fa

SHA1
d23a99ff58cb08f4afd660bfa158db82f56e4cd0

SHA256
17b20883476e471276c702c840c19f06edd24ee202dd2730ecd209863b468e01

SHA512
c3af953e9024b43f99516ec3e0423405a45bdd58cbe58cbb0b99cdc726a9f9a398f27a5edf5129ce9ff5309df9931d0101e43edc09177571f2ed65ef3cd507fe

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
96KB

MD5
46fdca6dda30fca0dba3e601da92b220

SHA1
a5fabeb00f87957b7a47c2adfbbd7b059697cc08

SHA256
589e6d24cec7a0d8b4b5ceef335881c28046ae1dae2772fa74a8ae7bb48de630

SHA512
900e5a4ebc8b62f803afb0e43641851ba8b72891fd1e08712acf64f5501d34da69b1fc78729a50bc596468814c821ab81bc39ad4a0714f70096179ede8139398

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
96KB

MD5
73b82b4ebce609cd8d6c0d5cef260031

SHA1
e538750cf11e5c0ce83085b2d612d57f2373eec4

SHA256
4bb1917c5c7faf64da538d7aa2c97ff02a551c112e6f165c965fa47433780993

SHA512
63a962f1d5dc5d9ebe4d38f3dd42ba715ae1bcf5ad8635508facc0e6670c9b1a15b9eca464cc199558eb4b486bbf458ff19ce7cc7a49f9a107f1b8177c65795a

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
96KB

MD5
c623b47ae16b6f4f3e2b3c826a54fb8c

SHA1
254523246c3c461fb4278f4c2ffb802f9215b468

SHA256
9e33adc458153d5ad9f0d160cb009541894c963e0406ffa9ea781b6efb96c0c9

SHA512
c874df1f75acf4dbaad81712b5c849f0cd3f3fa51559ef26d7b65686042dd032a851628964c16857046a21cd7d22c97c81c216f7285217e0f81ebb01a82776a9

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
96KB

MD5
6cb649a41959d596620428933b28dcf3

SHA1
7940800ef57a0627132edd9e2f874eb93969182b

SHA256
61efd6d9fb2a577efc0f26292cc3ec20fc095acec6be472616f5dffb00da41a7

SHA512
83a3bbfca5b1b525debd431b87afd7012b0aea617782cdb50d2c11d0293ac50a0758b0d56cb5b42923a29fa3b3ffb51dd752ef8c3b5e8992def00582f9f63823

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
96KB

MD5
9ca4501a83eafe869f13be6b267044db

SHA1
a64e97e38da4d1b6dcf24e8ed2fc2a4f0dea0e2d

SHA256
075c53395fdfd3d2a3801c3b33ded31efba4e4a2326f801111a36c2c37ca99fa

SHA512
2969c2b50996b53fd018ad3da00668ce7552a62905b06680fe081cf037e9bb535b60466e82658d74b47afe55fb3fab8dce4449fdd43df46189a54ea3f3848287

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
96KB

MD5
116386abbe495b9e8641385da4b3e96f

SHA1
a4e28a60fe719fa19a34a01a872005e7b1ee8ee7

SHA256
ce53caac922bb442188fb1c81a3adc12dafb5c5f208857da2f6711bc4109a762

SHA512
3137fe1f20da4efac1f778ca10288d325dd1d2ab707b75092cf749962d03271174f72a75943f72153adad7f50944bb08ac5ff03ee5caeab07eb81e919ee872dd

Download Submit
C:\Windows\SysWOW64\Ijhodq32.exe

Filesize
96KB

MD5
3e85dac25621f64ea8e61d4d56048a98

SHA1
cff45116acaccedb66293e9414f7960645057f38

SHA256
e95dbbbdca88fa782081a9efa7d8e7e43d04c4d1851e734180d163dbb043c66f

SHA512
0e1f29011a810d5617765a38b2678e9bd3cc0c2f9a4699602b720d0fd0115979e97424d01c7d47075e5418c62f2f4c59a2bc99b86ceefef0fc78fbc785516af6

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
96KB

MD5
3806affcadd236a3ee7dea0a449ad561

SHA1
8654f5e4601c94f3bf62be69c60cdebfe32ec526

SHA256
d0561a1b35f49eb1f19229fced58f7753e2564000c6687e256383b6c5413d12c

SHA512
7b8106b06f5d2a6a6098ae4b8e4175c910ed954480a6daf1bf2b4b761a4141ff2caabde9f8a9332f6d2622a8f5e77c179b29df435e967474e44a83dee0deee05

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
96KB

MD5
9224bf7a66e3c40e953f63804be233ae

SHA1
1e3e4dc5e69c45181a9400975bf2f487214c65db

SHA256
944d9625a3f8957fcba87c27d870579f0527f6b14ecd3cdcc1604bd26e44764c

SHA512
fed415edd98b5d4f465ff968c448ffebad18cd14e52a290ec21d5adcb5b5a7e78063e370c697ad180abf94e051451acf661a2ae64aff213a8cd8d5ce32daa625

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
96KB

MD5
6053df03fdbc08a009463dadbc9ed972

SHA1
f347605461203fccda4636051f27787a14a17f3c

SHA256
48a981b8c808b24103a5e991fb2d5f463218c280504f54bd5384d61f3cd1cfbe

SHA512
a05e0ff53be9cd91e5c1d8b1b824e5105bcbd611929b0973a74661236cd9139fc04349de736547bb3ef8caabcdd0745f2f9762f81ccb4529736791f4870df864

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
96KB

MD5
99171c37040cabf785c94cf838400e2a

SHA1
47374ccdf2aec1e17acc0f0fcf1c0405231b99a6

SHA256
0a88cb7877e3c37169cab00fc6d2f00baefe8a02bd26abbfe7ae1c0ff5944a07

SHA512
3ca12e7f776b8b76dd6a06da396a6513fb38c7b5fb87d0f7ace08d9821261f5c13f9c930af83f3437f950520a6e9383380309c11c27bf41afb765a6625994ad3

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
96KB

MD5
0921fb1f52d8d65ccc552135a1121a5c

SHA1
ec3ab736f31d3924fae65cfa908ddc0a140d7b8d

SHA256
ce6b67b814964f71d5202f03427e0fd55e1f10f7921ed05469a0ab45a329a7ec

SHA512
f46ada2d7ac22623bcd667cbc6b9c80996cf7b6a85eb4eaa99223de914f5c9f5651fc1d65c4c69fc7f34bca93f02251e0396e87561d22b787f3fbdb053bd3c6b

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
96KB

MD5
c3dd2ed35b04fc9458835b3581802163

SHA1
e3ad4036be2caeebcce0e149350e57527389b421

SHA256
45830e3b7bc24c7db6c946ed54eb4bb24023e96812ee1da8ab8ee593af420033

SHA512
bf12bbe2f141d1b95d1cc25d7eb13f5142afe070998ee3d18cbcba3a7c3848e3bc5c16c4c051daa0cb1e83d2ae745fac811ec18413987bea58884b4cdf5c2ea0

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
96KB

MD5
40b773dfc7b505c2642cd75bb273718e

SHA1
6091d392cf812363c54a76086efee37b28925b40

SHA256
4408d96cd28787238f324edcd8c47ed3ba671e1b2bedf16d25a615250fc507f9

SHA512
8e68b352c156ae0a27c239a17b87eff9c2519947d20e583c59b6a8d3ed468b51aa710ff7d0f5ce7481c49162607e362308e74d3dc8a6ad23937eba7ce543ff91

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
96KB

MD5
905e32600ce30f80808617286ab31781

SHA1
210699b2abbf9a9fefe77216ce2d6c52458e9c6d

SHA256
d65204c7ee2e7b8ffd5790fbfe3a26ca14db24159c9533ea6af94a2668277b4f

SHA512
95883b8f8cda86170b2b65c7fddbfc471c1bc1e269962d87831d045b02a0cba1bb4d747ddf63015e064debe0343d49b4965292af86b574bbe75980b50d84cf74

Download Submit
memory/228-151-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/228-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/452-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/556-302-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/716-348-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/716-414-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/760-361-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/760-428-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/780-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/780-388-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/848-415-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/924-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/924-106-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/972-147-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/972-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1088-314-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1100-407-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1100-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1128-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1128-133-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1196-429-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1208-373-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1336-399-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1596-94-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1596-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1628-411-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1704-315-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1704-384-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1812-272-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1832-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1832-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1832-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2160-126-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2160-212-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2212-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2212-194-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2452-262-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2528-401-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2560-294-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-64-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2824-385-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2840-29-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2840-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-195-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3008-282-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3204-333-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3216-371-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3216-303-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3296-435-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3448-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3460-204-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3460-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3532-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3532-33-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3564-227-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3612-387-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3612-322-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3704-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3748-150-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3968-235-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4024-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4040-177-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4040-86-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4056-96-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4128-347-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4128-283-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4192-275-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4192-187-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4304-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4304-376-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4428-422-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-243-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4488-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4524-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4524-289-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4612-170-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4612-261-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4728-421-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4728-355-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4780-334-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4780-400-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4836-340-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4836-276-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4856-270-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4856-179-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4904-213-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4904-301-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4944-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4944-162-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5032-321-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5032-252-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5044-226-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5044-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5096-77-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads