612ed180e55b2bbc276122ad18d0283158f52ea6bbae4a28a675e014c83c951d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

612ed180e55b2bbc276122ad18d0283158f52ea6bbae4a28a675e014c83c951d.exe
Size

87KB
MD5

5ee62fd1a931a86899644a3c8839a38b
SHA1

05b5647634f9b20db1ee9da89a9624c2b25a0728
SHA256

612ed180e55b2bbc276122ad18d0283158f52ea6bbae4a28a675e014c83c951d
SHA512

fff38ce082d013ecd9eeaf852a22bc171a950bcd0225099b1af1be2574f55ecad5683fb72ae02320a01e3162c38ecb27fc95f972a6543e22f028bd29dcc2d06c
SSDEEP

1536:B4m4n3ljxbICW2eGUCoXL/2nRQ44RSRBDNrR0RVe7R6R8RPD2zx:B4t3xJmBGUCoT2nelAnDlmbGcGFDex

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbako32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iidipnal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpbaqj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	612ed180e55b2bbc276122ad18d0283158f52ea6bbae4a28a675e014c83c951d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elhmablc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ehekqe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecmlcmhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efikji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Efikji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djpnohej.exe

Executes dropped EXE 64 IoCs

pid	Process
4732	Djpnohej.exe
2676	Dlojkddn.exe
6072	Efgodj32.exe
5548	Ehekqe32.exe
5164	Eoocmoao.exe
4288	Efikji32.exe
4824	Elccfc32.exe
5324	Ecmlcmhe.exe
5148	Eflhoigi.exe
4072	Eleplc32.exe
2444	Ecphimfb.exe
4364	Efneehef.exe
5200	Elhmablc.exe
3972	Ebeejijj.exe
1876	Ejlmkgkl.exe
1960	Eoifcnid.exe
3912	Fbgbpihg.exe
3592	Fokbim32.exe
2116	Fbioei32.exe
5708	Fbllkh32.exe
3864	Fjcclf32.exe
5016	Fqmlhpla.exe
868	Fjepaecb.exe
1352	Fmclmabe.exe
5000	Fobiilai.exe
2248	Fcnejk32.exe
2052	Fflaff32.exe
3048	Gmhfhp32.exe
5916	Gfqjafdq.exe
3068	Gqfooodg.exe
5136	Gfcgge32.exe
4004	Gcggpj32.exe
1528	Gidphq32.exe
4540	Gpnhekgl.exe
4828	Gjclbc32.exe
316	Gmaioo32.exe
4304	Hfjmgdlf.exe
756	Hihicplj.exe
6028	Hpbaqj32.exe
3496	Hfljmdjc.exe
4312	Hjhfnccl.exe
4088	Habnjm32.exe
4820	Hbckbepg.exe
2432	Hfofbd32.exe
3936	Hccglh32.exe
4388	Hfachc32.exe
3396	Hjmoibog.exe
4756	Hpihai32.exe
4040	Hjolnb32.exe
4440	Ipldfi32.exe
1064	Icgqggce.exe
5960	Iidipnal.exe
728	Impepm32.exe
6140	Ifhiib32.exe
4344	Iiffen32.exe
5736	Iannfk32.exe
5332	Icljbg32.exe
5140	Ijfboafl.exe
4120	Iapjlk32.exe
1912	Ibagcc32.exe
5168	Ijhodq32.exe
864	Iikopmkd.exe
3624	Iabgaklg.exe
5484	Idacmfkj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jibeql32.exe	Jjpeepnb.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Jjmhppqd.exe	Jbfpobpb.exe
File opened for modification	C:\Windows\SysWOW64\Elccfc32.exe	Efikji32.exe
File created	C:\Windows\SysWOW64\Fihpfl32.dll	Eleplc32.exe
File created	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Eoocmoao.exe	Ehekqe32.exe
File created	C:\Windows\SysWOW64\Hjmoibog.exe	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Gqfooodg.exe	Gfqjafdq.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kaemnhla.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Icljbg32.exe	Iannfk32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Hbckbepg.exe	Habnjm32.exe
File created	C:\Windows\SysWOW64\Gbledndp.dll	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Nphqml32.dll	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Fflaff32.exe	Fcnejk32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Lkbhbe32.dll	Hpihai32.exe
File opened for modification	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File opened for modification	C:\Windows\SysWOW64\Ecmlcmhe.exe	Elccfc32.exe
File created	C:\Windows\SysWOW64\Fbioei32.exe	Fokbim32.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Inomojol.dll	Elhmablc.exe
File created	C:\Windows\SysWOW64\Lpacnb32.dll	Gidphq32.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Iapjlk32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Ejlmkgkl.exe
File opened for modification	C:\Windows\SysWOW64\Jkdnpo32.exe	Jfhbppbc.exe
File created	C:\Windows\SysWOW64\Dnplgc32.dll	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Hpihai32.exe	Hjmoibog.exe
File created	C:\Windows\SysWOW64\Fmclmabe.exe	Fjepaecb.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Hfjmgdlf.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Fibgnfha.dll	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Fjcclf32.exe	Fbllkh32.exe
File created	C:\Windows\SysWOW64\Iblilb32.dll	Fmclmabe.exe
File opened for modification	C:\Windows\SysWOW64\Gmaioo32.exe	Gjclbc32.exe
File opened for modification	C:\Windows\SysWOW64\Jmkdlkph.exe	Jjmhppqd.exe
File created	C:\Windows\SysWOW64\Klfbpcko.dll	Ecphimfb.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hfofbd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
732	2792	WerFault.exe	225

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Efneehef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ebeejijj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dempmq32.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecphimfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll"	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ejlmkgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hihicplj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldobbkdk.dll"	Kmgdgjek.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfbpcko.dll"	Ecphimfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjcclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hpbaqj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibgnfha.dll"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gfqjafdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oddfqf32.dll"	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfiapa32.dll"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknpkqim.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dlojkddn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gqfooodg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkiobic.dll"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmfdf32.dll"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peeafpaf.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	612ed180e55b2bbc276122ad18d0283158f52ea6bbae4a28a675e014c83c951d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5308 wrote to memory of 4732	5308	612ed180e55b2bbc276122ad18d0283158f52ea6bbae4a28a675e014c83c951d.exe	82
PID 5308 wrote to memory of 4732	5308	612ed180e55b2bbc276122ad18d0283158f52ea6bbae4a28a675e014c83c951d.exe	82
PID 5308 wrote to memory of 4732	5308	612ed180e55b2bbc276122ad18d0283158f52ea6bbae4a28a675e014c83c951d.exe	82
PID 4732 wrote to memory of 2676	4732	Djpnohej.exe	83
PID 4732 wrote to memory of 2676	4732	Djpnohej.exe	83
PID 4732 wrote to memory of 2676	4732	Djpnohej.exe	83
PID 2676 wrote to memory of 6072	2676	Dlojkddn.exe	84
PID 2676 wrote to memory of 6072	2676	Dlojkddn.exe	84
PID 2676 wrote to memory of 6072	2676	Dlojkddn.exe	84
PID 6072 wrote to memory of 5548	6072	Efgodj32.exe	86
PID 6072 wrote to memory of 5548	6072	Efgodj32.exe	86
PID 6072 wrote to memory of 5548	6072	Efgodj32.exe	86
PID 5548 wrote to memory of 5164	5548	Ehekqe32.exe	87
PID 5548 wrote to memory of 5164	5548	Ehekqe32.exe	87
PID 5548 wrote to memory of 5164	5548	Ehekqe32.exe	87
PID 5164 wrote to memory of 4288	5164	Eoocmoao.exe	88
PID 5164 wrote to memory of 4288	5164	Eoocmoao.exe	88
PID 5164 wrote to memory of 4288	5164	Eoocmoao.exe	88
PID 4288 wrote to memory of 4824	4288	Efikji32.exe	90
PID 4288 wrote to memory of 4824	4288	Efikji32.exe	90
PID 4288 wrote to memory of 4824	4288	Efikji32.exe	90
PID 4824 wrote to memory of 5324	4824	Elccfc32.exe	91
PID 4824 wrote to memory of 5324	4824	Elccfc32.exe	91
PID 4824 wrote to memory of 5324	4824	Elccfc32.exe	91
PID 5324 wrote to memory of 5148	5324	Ecmlcmhe.exe	92
PID 5324 wrote to memory of 5148	5324	Ecmlcmhe.exe	92
PID 5324 wrote to memory of 5148	5324	Ecmlcmhe.exe	92
PID 5148 wrote to memory of 4072	5148	Eflhoigi.exe	93
PID 5148 wrote to memory of 4072	5148	Eflhoigi.exe	93
PID 5148 wrote to memory of 4072	5148	Eflhoigi.exe	93
PID 4072 wrote to memory of 2444	4072	Eleplc32.exe	94
PID 4072 wrote to memory of 2444	4072	Eleplc32.exe	94
PID 4072 wrote to memory of 2444	4072	Eleplc32.exe	94
PID 2444 wrote to memory of 4364	2444	Ecphimfb.exe	95
PID 2444 wrote to memory of 4364	2444	Ecphimfb.exe	95
PID 2444 wrote to memory of 4364	2444	Ecphimfb.exe	95
PID 4364 wrote to memory of 5200	4364	Efneehef.exe	96
PID 4364 wrote to memory of 5200	4364	Efneehef.exe	96
PID 4364 wrote to memory of 5200	4364	Efneehef.exe	96
PID 5200 wrote to memory of 3972	5200	Elhmablc.exe	97
PID 5200 wrote to memory of 3972	5200	Elhmablc.exe	97
PID 5200 wrote to memory of 3972	5200	Elhmablc.exe	97
PID 3972 wrote to memory of 1876	3972	Ebeejijj.exe	98
PID 3972 wrote to memory of 1876	3972	Ebeejijj.exe	98
PID 3972 wrote to memory of 1876	3972	Ebeejijj.exe	98
PID 1876 wrote to memory of 1960	1876	Ejlmkgkl.exe	99
PID 1876 wrote to memory of 1960	1876	Ejlmkgkl.exe	99
PID 1876 wrote to memory of 1960	1876	Ejlmkgkl.exe	99
PID 1960 wrote to memory of 3912	1960	Eoifcnid.exe	100
PID 1960 wrote to memory of 3912	1960	Eoifcnid.exe	100
PID 1960 wrote to memory of 3912	1960	Eoifcnid.exe	100
PID 3912 wrote to memory of 3592	3912	Fbgbpihg.exe	101
PID 3912 wrote to memory of 3592	3912	Fbgbpihg.exe	101
PID 3912 wrote to memory of 3592	3912	Fbgbpihg.exe	101
PID 3592 wrote to memory of 2116	3592	Fokbim32.exe	102
PID 3592 wrote to memory of 2116	3592	Fokbim32.exe	102
PID 3592 wrote to memory of 2116	3592	Fokbim32.exe	102
PID 2116 wrote to memory of 5708	2116	Fbioei32.exe	103
PID 2116 wrote to memory of 5708	2116	Fbioei32.exe	103
PID 2116 wrote to memory of 5708	2116	Fbioei32.exe	103
PID 5708 wrote to memory of 3864	5708	Fbllkh32.exe	104
PID 5708 wrote to memory of 3864	5708	Fbllkh32.exe	104
PID 5708 wrote to memory of 3864	5708	Fbllkh32.exe	104
PID 3864 wrote to memory of 5016	3864	Fjcclf32.exe	105

C:\Users\Admin\AppData\Local\Temp\612ed180e55b2bbc276122ad18d0283158f52ea6bbae4a28a675e014c83c951d.exe
"C:\Users\Admin\AppData\Local\Temp\612ed180e55b2bbc276122ad18d0283158f52ea6bbae4a28a675e014c83c951d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5308
- C:\Windows\SysWOW64\Djpnohej.exe
  C:\Windows\system32\Djpnohej.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Windows\SysWOW64\Dlojkddn.exe
    C:\Windows\system32\Dlojkddn.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\Efgodj32.exe
      C:\Windows\system32\Efgodj32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:6072
    - - C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5548
      - C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5164
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5324
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5148
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5200
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5708
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        23⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        28⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        38⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:6028
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2432
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4388
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4756
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1064
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5960
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:6140
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5168
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        63⤵
        Executes dropped EXE
        
        PID:864
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        65⤵
        Executes dropped EXE
        
        PID:5484
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        66⤵
        Drops file in System32 directory
        
        PID:4996
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        67⤵
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        68⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        69⤵
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        70⤵
        Drops file in System32 directory
        
        PID:4724
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        71⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        72⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        73⤵
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        74⤵
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2348
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        76⤵
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        77⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3436
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        80⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2808
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3640
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1320
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        86⤵
        Drops file in System32 directory
        
        PID:5616
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4572
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        89⤵
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        90⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        91⤵
        
        PID:448
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        93⤵
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        94⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        95⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4468
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        98⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        100⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        101⤵
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        102⤵
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        103⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        104⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        105⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1684
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        107⤵
        
        PID:436
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        108⤵
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        109⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3764
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5592
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        113⤵
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        114⤵
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        115⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        116⤵
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        117⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        118⤵
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3596
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3252
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        122⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        123⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        124⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        126⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        127⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        128⤵
        Drops file in System32 directory
        
        PID:1372
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        129⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        132⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        133⤵
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        134⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        135⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        136⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        138⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        139⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        140⤵
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        141⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 412
        142⤵
        Program crash
        
        PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2792 -ip 2792
1⤵
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Djpnohej.exe

Filesize
87KB

MD5
c4ad318bad5e25222a08f89cf623160e

SHA1
0c7b04bf444d336874d251823ba38f179d12d7c5

SHA256
86d109ccc8f3579059fc90c4fdbdedbd6eef6b3e4fd192a1ff9104acbf472ab4

SHA512
949b1d3f9ded7b07ee47ea4bb52826eff1a73da3645bff0bf8bcc43daeee6ad7df34be6420ddbee6a19f7a34405885b1ea1f3874ac22568311ceaa7d047fc412

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
87KB

MD5
34906893343f467813c26e2985ab069c

SHA1
6d7d464d750de2cd7b3468a29964249fed93fe1b

SHA256
0801218a8af5e0db40e7755b33c1e71db7ea4ab4ca3a7ec03b6faed5a070bac4

SHA512
4542bc580cc2053bc1848d971a9a9b26c0a7975a1334ba4eed3b1c6131e35e1349eb3b5c4dccb6745bf2eb58e86ef8ad1e4136092b5c62f9deca0a37db2763ee

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
87KB

MD5
66ea7af5ad5b539ff35d99ccada20b6d

SHA1
c9b689a92be207bcb45c18159cc786942d99d977

SHA256
10f066cccf0ab35f244a185bf01e910799f61edf5ae818232c1eead08af9866c

SHA512
8f59fc7475cfbce6aa2c25a431fcb32a3a2ebb62b4974b25d878dc53d1613b744f7b94efd45f9288fe7cd8aada49d7883f7bc2d235ec55b765547feab9da78c7

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
87KB

MD5
653bb187b1c0a5cbd7914dd49a658ffe

SHA1
fe24670e101707d3d372caa2a946b27ca62bf929

SHA256
5c682073d2cca1d195b5830385e267110480a5beb99126b083d28435cd9dd845

SHA512
4e1c5d7026e5db09f83a43da2b07f53d02f935525004074a51d62a7b44439e90ae807581bf4ab2a7e143d96d3be247121edf65d32b6ff3d3be1f7187b6f5319e

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
87KB

MD5
75e4eb1fd0d46d142ce672a7c880fdea

SHA1
f62e8eef6e073956012ec894c8b1b5c7fd088532

SHA256
ba5828cd7a209b489e53b258c1062683cbcb608d15c37bceb0bef9a1d1e00259

SHA512
d5d39a74f4ec40009c3e36a3957210fee56dbebd0dfe7baf05a4a24c08636031f44d7f8f6a622638a11390ba94d00f51b79ef8087db153e0b5e609a64dd72ff5

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
87KB

MD5
4f256845df008400471ef9626ed5be8e

SHA1
be42d1e5e24b23dd7fb85aa68816a14fee82758d

SHA256
67f9f37756b3d50979b34891b7aa62e4545a2effa0dba54eeaa9358490e0c031

SHA512
199b90158a55808fd467cb20d0c7956c81d157e0a41a8f09b93103b34e21cbf8419712b50ddb69f936b5d574abc8a8b997dc897cde7eff33ea3ccb3ec41ffde7

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
87KB

MD5
e718d9b3d16eaede15b260c10a011c94

SHA1
fb33bb12ad84bd79f76af0c147b8357d7bfd24d0

SHA256
cf206af91ff6c36ff1444d9d40f23e2f5e527202519a095b7a6aa64cb63bab60

SHA512
ba933c6c8c1f62342e5742feb39ee86ec3e49800177039e8afed46f82d68e32773f660e742c00ee3001c89d5a03e7b2bec7a60559b01300e83acd95147c6b475

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
87KB

MD5
209974ee04a7ae7a90724e1f78b971db

SHA1
d8d24a077d7b26f30d814c372efcb9da0f33d1b1

SHA256
ca995706f792ae1ca181fde20250811eca1bd4bd2000eb4d4a52fa81d214aa64

SHA512
3b2c2edf69f4efb02833cf683625ae3772e94f13454a54d333a75ca1cca51b7542d39577bf44700bbe417d07f3e055096a85348ac520190db473ff760cc1a6d3

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
87KB

MD5
4d7f8ed40445de0156c8e89bc4a6c6d9

SHA1
8fdd34890df450b60be6f561438cfffcbffd66d5

SHA256
dad118f6e7e0fe99760a45e72a917a962a45df22941f543dc731eae136408bdd

SHA512
eba485eb47a18ceb33f17b1b89bc3709d7ddc4d1e1d27061b45f5d78ccec8fd839dcf2e214793ea1f2245d9d97e37dfc75491e580b779df66aab20ccebc77610

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
87KB

MD5
6fb1e54a64abe708d9ff5475f25a1a0d

SHA1
f5cb75e5554d513bf5d0c1cc19a132ee647905ae

SHA256
515ed2028576a0f0b9ef30de06b6a8e36dcff0ab6ac3eca9f6013b8f514c7adf

SHA512
ee2811070857356ee7c9fd37b261a9b78a5147d8da720dbb521f4808e2e4c1b2dfc3eaac741fc801e12c3d0c4071c6b4aa589eb22ada38f13a9fc3d34059106d

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
87KB

MD5
27969bb3095b1981f63fb63e33ec99e8

SHA1
eef93af0c7cafb59e1dca85deb1d1ab555aa7e00

SHA256
fb90994a53c30d11c9bf42ffbf15ae87c1ad96568edb69e6d7daab3fdb422353

SHA512
8ce5c46ff4e4f4169389277c0c861656b8a316209ce222cf724baed6d3a10f1c20ada7a01d72fc28a677662676949bc619559d114917040ddd669108a138d6ba

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
87KB

MD5
4371d61454fc44de5670dc7cd72c5e87

SHA1
668ae332ea152fd44a7a6bd278428015a51a1d54

SHA256
0fe8461b62cdc96636ec1bee18ad05e06eb2a699b8d49ca1f6c7939e5da87a7e

SHA512
041373987ce55f23d9c00537ace8696ef23aaefcdefed622894c0a51135c90a9cfa36f6aece5ba9c232475d1c4cf1dfda9b91b05f45654e6a62f5a6990f4cf69

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
87KB

MD5
fdf839a7a77b5fcc4670fa3e5c7bb026

SHA1
b765fc6b35934d2bac68a6fb485468b87940630c

SHA256
075d5fd2b73bd166de6bf63cd925b9aa39107f81d541d4cdc01152a6355cb4c8

SHA512
eeb610d7c10524893e776717569e5a38581e86ab0d76f037909ff2e015d61e68c8c97ff46a3f00b18bb88775d34695e115f245bed467d1e84a44c3dae1e8925f

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
87KB

MD5
7cb144f915cc6a9ddda10f90fd6e5a52

SHA1
a14773810f4a9d3b04b165dbdea3a0cef1271042

SHA256
be37d03122bc223541cb9c85dbd39a5abc810df45ee6eb074547a317bfae4214

SHA512
6336d8012b7f50999b97a120b3ebef203e6eb15fbd20b53a1ef28561dca1e9fec8998a8943d134334d543e57a36803f7e9c9b7060e182fabe44908b09fd775da

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
87KB

MD5
ef1f2fa961aa65b9c82d360c450f34b2

SHA1
f3638fd56c4e111c01e1f877dc228a6021e848d4

SHA256
d3758ca38d3736ed01b585f9cf6cd9b19149ce33769c78ef3f9c4d4fe942c345

SHA512
05392db461d3354210101a05b681bee651efe9d82ab1faec2f2083592e545d563c5bdff8c327d41e276370cd9199a157390c47c3a4bd440060b28ce1259f3649

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
87KB

MD5
defb055b437e9136210a3df1864f3733

SHA1
7fc6158afe90cd241affc826b5c19c7c566f1967

SHA256
452d3e827707e7a3edbcdb13484929093e6e541c16b4120cc88d3e722093018a

SHA512
ed135918f57df21632b8c95e4362b44d188aee72baa2ddc481c94a4826a0a90c427e2b5d178b8b3322fcb82d7e4b647deed290fb257ffa2ba4dd09faddbac25f

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
87KB

MD5
b711e1cab5f7b9d370a08cb5fe22bb75

SHA1
3fe1554ce2d7f339d9234294ebd7492ae6d0106e

SHA256
586c2947e5f673edea4327d8f5e42c209f542feeb724d6666882eb95c280a041

SHA512
dbfc26f5742e95304209d977e645cf58b1ac0002137aecf2d081ef908033c27720f2d79ad57f6d09b4d96b10b85ac7b25bf6b5ec4f77ff05a8c876888f4cdcc9

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
87KB

MD5
8ec7f7d95db5ccf3d0b301e56d879253

SHA1
ca533fc0efb74eca1bce72e456680a8315f15b15

SHA256
8ce1f4ee647e60b73bf018758ab2ccb195d741f2c89cea08bc3863721d71b3b5

SHA512
e89dfec7059bd841d77b60850f5349aca236dfdefabd6cb1207af88dfb999ac3b2cfb2fbbf074801911902121afc07080cb4967d874f9b8c6eee7195475a6481

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
87KB

MD5
f93952d9e3ad0981d4430f94b19a86cb

SHA1
0ef7b31d2d120d5a09ed503608fa7e852a44a47e

SHA256
ff9e573ea4ab29347a6368a9ee8b7dcbaf77f1dde2798bd0a53be1b178b46696

SHA512
f8f63c43da0002f2b143e612758490eaf9d154692b7ab158cbbc5439585ce3a3374150a89e7a43d8e2f898682d7f790e791d1f572e21280b08a7d23514e19c59

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
87KB

MD5
665ca078c69525ca0e4fb6b6c0e95f51

SHA1
73eec94b483e58b815069200417dd4943a74b29b

SHA256
6777f6af0dc841c17d77355ea1010b34ce68f3e0e9c1ae111a648e881b4307ba

SHA512
999a329d7af33dc61404978926e8df23a8c4acb5783b5b10b9e469ecd8684723b37119399de4fc77ff1cbeca68c34123372db3975026ae8d6ff0e9e8aa213eb6

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
87KB

MD5
b6f6372afc19c37d7c9b53edc29e83b3

SHA1
17892423717a7d5c1f1ce68c0ad614f3b66ee8c4

SHA256
6b9d8f00319403d7d9f3d6986b110763bb724746d1dfd17778568e42749ba005

SHA512
f4deb88ae8ae4c843eee9c608403606470a80837b89c32070277ef68fdd380743857263d2497ae69a06710049782ac7dabf469e0a7be09b9e4e1b11d1c61ec76

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
87KB

MD5
ade643848f6107bee08a9105e260484d

SHA1
12e98a9bbdd3bc0c8cee9dbf557c32c671971575

SHA256
c0c94f790ead7332c16adda31c374cf58f9b6533d214515c0c237a56c7d6855d

SHA512
1ffec113e2c7fcde8a973edc593371bf2a8f3a7b4f41ffdbb909dd48275d0290535fbe32f5852eaad48b790cb84b328546cfb17aa9ec3f6374c5100fbd491675

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
87KB

MD5
e8b3b2b94b8431d1f669ddbea8846cba

SHA1
6e8079f21be54422a2528d87965f4e710d977ff6

SHA256
b0beafda0bb8994723d2003ca098ea121a7e62bdeddc75ce5e8a8561fe770f32

SHA512
7f4ffd973215271b3c6acd9a271bc5a331abb5822c5fb969583da7695c2f4553a0db3e407560d472be67404cd199456a0d8ad79bd89a9a36c36087821a7d3e1a

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
87KB

MD5
6ff7e3b2bfcd9dfd622f11a4a00ea689

SHA1
8d0ed6b17d1e49c4b5b53dbe5ac4cb9a41153f6d

SHA256
4d23fd5e956b00ce90e9d15e52584d6c8daa8a54ac7b931a7ae2fa90d8cccc29

SHA512
fa08411d67bd48a684229f6031bf0853d5a1750e800d3ccebad7a0c7a01ed8375c794e605a57365e6fd69c13afdb67ff7dbc515fed0fe72d9ebc96392c385abe

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
87KB

MD5
dd3974aee8fe43ddd0f8b02c3026f2ad

SHA1
737a69a3f7564e029f9ee4a9dd67f431524a1367

SHA256
696ead5f35b6d91416e07e4099e8f66cfd9976efa0a5b1f79919a1fc4d6d2741

SHA512
1ab0b7dad595a1a17c32b41d7b474f594c6ef144adefe98175a1426a4763471ca57a280297bb9c8a4ded3b6d4d900d81a40a120c852376fd7f0005dc56ba34ec

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
87KB

MD5
5cbd7e5917023a171c38701544be441f

SHA1
5a7b94e66a7957fae9a7d9c639bd1c3053721794

SHA256
fd71af9a56ffa16831fef8918e42a105d5f6b6feb43fe7fbd44aca579a12a5ea

SHA512
287dddbae49c425fb6bfc871ba594a2a519abc48a85302074474efb3379a8979467cf1d987ec1d8877cdc6dede7623bcb3a3747a9a3d7968deae8d4d3e0a0354

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
87KB

MD5
17d1ef7b29c51da09a22d1a65acbdb03

SHA1
2dbb3f78c931cb3609b9bbbdbc628a2210a1f6cc

SHA256
68b16a76993eb9435f593b2fedf95c834ccf11fa7ba9971f35d1cf4c7d824431

SHA512
d139e18f436d6dfba4b90fc7812ef7048ca9b68adf7bba9e99dcb989afa3839a3bd83645b7a46b53ab26287ea93f99805e8101cc1ea347c53b1e99d2793436a8

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
87KB

MD5
68f13a08bff10f22124941c8ccdfd429

SHA1
a1f7d328c4475ec89bbb42b1fd8bce41e8e98538

SHA256
44a74596c10fb7f8ca87b6de9f9f40fb3e5164ce7f24e86b76ffdc8f0a219bb5

SHA512
a3508af1f9624605a2da9092875adb3e170f4738529a5765d665e6b11fb33c1d5c58d9813fba94609aba419eca3a0e6ec2538af76d8a4f87fa7009d2f6f593ba

Download Submit
C:\Windows\SysWOW64\Gfcgge32.exe

Filesize
87KB

MD5
f5962dc165c18a4161dc85428931bc8e

SHA1
0e2b9c599b0bed02c7e79484efe7d3aa39fd4470

SHA256
56f3cf52b2c472695521e8334fe04461519a5d44a5aaa0e4502eac44c31f7af4

SHA512
0604c0b814f171e32ab96a326471b39e0216b92fb2b3710c8fb80dad5ba91b081182e67c5a0d6dcacf4626768081e42eb42f15e822e16283637cb77614341f62

Download Submit
C:\Windows\SysWOW64\Gfqjafdq.exe

Filesize
87KB

MD5
87c3b6944951b2910d8f4bae583191d8

SHA1
914b35d4b2116dd950d2e1fcd1cc4ce24aa4c75e

SHA256
9cd081f2efc6af62e4a3e5998440314bc8624d11c4179cdfbcdf75656db21e56

SHA512
742b9b04ff8d2bc9aaff8d121f3a3fed82b502699553fb6ba43ddac056d787dde7189e862379d1352fa0b58e050d1d7c537485be64dd4f7b16ea191438e6a469

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
64KB

MD5
50a131a8fcc3fea772a1967f4de46f75

SHA1
d0eb1f5f152b5566b9ca25dfd5a60eb93ba1bf70

SHA256
54278465702250f0ceffabd34432e40254c4df59786a98e4195a1bf50ba00cd3

SHA512
e4822bb14e9d2ec06428acc017eb7aac710d621542fc02b6b050b5e83ac95e07940dab682ad68286c702775663d7e65acaaa3a889eeddfa997906438937524a5

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
87KB

MD5
37ce325bb8a8188e111d11952749b742

SHA1
7374004ab46fb460254268bc486a5c73e87d8349

SHA256
1db544a972abf545bcc43d546c6797acc1592f66842f958d5c3c41b20b1eb306

SHA512
6f477160dc86bad14ed9778125ba0c8b9882a6d9011068fd1974a58817f5209db6f016022ac2edf570ba92a12a0f974dcaf1bfabf9b125c78f45ca38674cc717

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
87KB

MD5
cf95b62f91829f6fac5ae11174bb6e7e

SHA1
ff846859abf12f9eca57ea21f4dc2fe29066c596

SHA256
53a54b5b134478417b06494fce261802ca42dcc7d02c6a8e172582217c5d3230

SHA512
c537b9e4195a077fb4cac47431992928ae5d62a73c82f619a0707a4648da1128a699c089bcca399b640e347fa93f3c02cd405bf2ec38c944766b845c7dcab299

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
87KB

MD5
3ebb4963333365ecc1f7ad43ed8968e0

SHA1
9b40ce8a913d515ff06073957be9b82e325be3d4

SHA256
58b2c87a45305a48c342c6c3d13e2b50d9061dbd0ff0a8dd3faf60d7585fc6cc

SHA512
ee2b6b46e045eb53232ad292d4a0ef0fc91c6fdc94e97afd09638a2d3d94051726dd3062ed07733fc8305aba60f55dd5ccbc7a4c4b15640b0d454bfeffd0ceed

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
87KB

MD5
faf9ce7605ae32390f97554d4d50abf9

SHA1
a33177019b90a93b4e972d45f6a4e6c650ad859e

SHA256
c3c7dc7126b04ea1ec8c50e77ca8edba769d037fc3abfdf741686c1ed5453551

SHA512
163c43943e27d1a5bc3401cabb44b623a4f731d7a17d194280925ac292c3137f59115074cfa59e3558f651cc4893088cc272b300f1a42e378415b99cbead8151

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
87KB

MD5
3f7849a13ec9065d92a2330d5addeaf8

SHA1
2148800ae68a647a5cc7752eede6b6451798b41a

SHA256
bbe9a062ceee7a74f8bc1ca0d4423cb5911349bb8d8b2f5ee0326bc92d5d6fbf

SHA512
30031fee6e98da87b0e12288e6b6697da32fdc27e341cb4fea51e879a49c8c39e11bee52b60f27f885bbf4245e9988343dc6084cf66f7793c484d581b43f5195

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
87KB

MD5
565bc527250dfc9cf6918563747e97c3

SHA1
41a77d41a6d572a09865e5a95f2190e6e572bc5a

SHA256
e290e087a9503819cd91439bd8a8f35b78a57710ec0a3707655991411fa5a472

SHA512
ee25f25d23acc3f3a8f44bacc9589a02309272c192e3e09b497a004f937ff46ea9b3bfedafc0e269d55d386a041a7be45b68b709b2ce9c4cc437c07e74232960

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
87KB

MD5
cf476f5420863628ed7e0fa1e7470ad7

SHA1
d6f57fec56a779eb4eeccb7de1642e5a66388320

SHA256
b03e5835f8d46c07ef2ca4e73266f8b9624bc601bb8cbe5f28b410972a9e7d5d

SHA512
a6b343c6e6945ee4ff73b233b9bab6d6a9854fe2d8ea2b5343c0edd9faf34f78fec60b4157c8ccdd359adda9dfbb43cbda72652bc211332ca52ccad09d512ba9

Download Submit
C:\Windows\SysWOW64\Kbbfkb32.dll

Filesize
7KB

MD5
3c10e1711c4032742f3698948b6431c3

SHA1
fcda9e4daa3a8fcde9f38e7932d9016b6ff49a9d

SHA256
18ffd4d8b0141892cb797b89315f3f56b3ce8f4e8c0025bc0fe431a35ec0532e

SHA512
010e66d161e7e16caba77a499ab642f1705e3d4352c9c39ecbe683d6c6d3ac80d419d10edded577a47e106c46b29675a62e6b04cad66a5ef8feeeeac294c5b1a

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
87KB

MD5
c539eb3a1d400fab0fccaff2dca6ae53

SHA1
58f6344d990af3850731ba546e891b7011fa95d7

SHA256
055c746e96c8d60ccfa98bd23ce1b97f52bb43bd2ac07803ea875a64f34002ff

SHA512
50989d1ac29d3106abc4fa78b6c916973395db8db3c720d225e464ce8e175d05b306be241f02212e9b776033636b47a190d8b3d8c09b26842f627fdb6666efe2

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
87KB

MD5
f944a711266a32387adf83b59bd92f86

SHA1
112b4cdc358be17aa5f17302b75f84228f3d7d6e

SHA256
2538938dab937b33a7a4b88a861a1c0db5be0b48e628a5310046d0a3e0d36938

SHA512
ba1c5d29b51a0f56f263403ba13c88fe45fc01ba58288a3951b55dd7e74b0e1ad99282430e006ff8a83891f6ec9d8c0207758fe928fe6965c15f3b76a838a6c1

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
87KB

MD5
35728de3007a6258e83a4a7f38edae60

SHA1
721cc132933a0f560ad931602be3c9aee2e92cdd

SHA256
5f8b13849a671a8f803fe8ca359caab48b348503f8f4419cea7ffd046dc1aa19

SHA512
3ba3c41e6e84ae22e8b169844623c7cf846e5d341d339039a0a5bb4c3d2327b12d91a9664e69008edba9fd97e8db20e228f4e0bc41b271088875929022fdccde

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
87KB

MD5
bb691858444e652c15eabc1c94d113b8

SHA1
e857f760bb918ba506db6ffd9b3c3e13ab9f57a5

SHA256
4de0ce3dfc84d7553655bbf109ca2599d9496ae1b61b5d00a83f0e2567362204

SHA512
e1dc3b169883ca632d045768c40f2c736138e5945cc657edca3d36f8f2edbaf53b64dad2acd5884ae9b0c77183c8f1fab4b35e65e00083f107aeaf4bddd69df8

Download Submit
memory/316-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/316-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/728-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/756-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/756-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1064-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1528-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1528-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1876-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1876-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2052-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2432-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2676-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-318-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-332-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3396-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3496-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3864-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3864-266-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3912-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3912-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3936-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3972-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3972-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4004-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4004-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4040-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4088-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4088-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-312-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4364-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4364-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4388-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4540-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4540-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4732-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4732-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4756-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4828-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4828-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5000-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5136-339-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5136-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5148-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5148-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5164-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5164-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5200-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5200-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5308-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5308-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5324-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5324-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5548-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5708-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5708-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5916-325-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5916-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5960-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6028-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6028-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6072-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/6072-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads