d3a688b440d7d9eb94dc34cdb01e6af0d2b6cddf5ccc2960921cff41216361da

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3a688b440d7d9eb94dc34cdb01e6af0d2b6cddf5ccc2960921cff41216361da.exe
Size

352KB
MD5

1fefa31c030fdb038a34e62a0ed45f76
SHA1

5f2f5c0a8bc745c006d688802db6e61bfcee17d8
SHA256

d3a688b440d7d9eb94dc34cdb01e6af0d2b6cddf5ccc2960921cff41216361da
SHA512

f1e2708649a0f67b97a666f6c68bc292429671eed9fa2d1fb4e66b48ecd606a10819e51ba5aa1a0871d75150b767dc535ce908e001fe489905cccb8158412bc3
SSDEEP

6144:954Dvvq8fbB/2Gz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:Ml/IsUasUqsU6sp

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcopbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhnepfpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Himcoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqalmafo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebnoikqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fihqmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfjmgdlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdcijcke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe

Executes dropped EXE 64 IoCs

pid	Process
2648	Dpacfd32.exe
1272	Dcopbp32.exe
840	Dofpgqji.exe
3124	Dadlclim.exe
3292	Dhnepfpj.exe
2144	Dagiil32.exe
1528	Djnaji32.exe
3048	Dphifcoi.exe
3692	Dhcnke32.exe
4288	Domfgpca.exe
2276	Ejbkehcg.exe
1004	Ebnoikqb.exe
1048	Ejegjh32.exe
4656	Elccfc32.exe
3884	Ehjdldfl.exe
3876	Eqalmafo.exe
4604	Ecphimfb.exe
4696	Ehlaaddj.exe
2280	Eofinnkf.exe
3316	Ehonfc32.exe
1448	Eqfeha32.exe
4368	Fbgbpihg.exe
3452	Fhajlc32.exe
2616	Fmmfmbhn.exe
1008	Fcgoilpj.exe
812	Fjqgff32.exe
4636	Ficgacna.exe
4928	Fmocba32.exe
224	Fqkocpod.exe
3612	Fcikolnh.exe
4628	Fbllkh32.exe
1344	Fjcclf32.exe
1620	Fmapha32.exe
4912	Fqmlhpla.exe
4484	Fopldmcl.exe
3480	Fbnhphbp.exe
3576	Ffjdqg32.exe
468	Fihqmb32.exe
4232	Fmclmabe.exe
3660	Fobiilai.exe
3468	Fcnejk32.exe
412	Fflaff32.exe
3500	Gcpapkgp.exe
2068	Gbenqg32.exe
5072	Gmkbnp32.exe
1512	Goiojk32.exe
3736	Gfcgge32.exe
1040	Giacca32.exe
816	Gmmocpjk.exe
2192	Gcggpj32.exe
2428	Gfedle32.exe
5096	Gidphq32.exe
3556	Gqkhjn32.exe
3120	Gpnhekgl.exe
368	Gcidfi32.exe
3656	Gifmnpnl.exe
3688	Gppekj32.exe
1920	Hclakimb.exe
2460	Hfjmgdlf.exe
2696	Hjfihc32.exe
4980	Hapaemll.exe
2360	Hcnnaikp.exe
5008	Hjhfnccl.exe
4968	Hmfbjnbp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fbnhphbp.exe	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Gppekj32.exe	Gifmnpnl.exe
File created	C:\Windows\SysWOW64\Hionfema.dll	Haggelfd.exe
File opened for modification	C:\Windows\SysWOW64\Elccfc32.exe	Ejegjh32.exe
File created	C:\Windows\SysWOW64\Lbdfmi32.dll	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Gmkbnp32.exe	Gbenqg32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Hjolnb32.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Fcgoilpj.exe	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	Fcgoilpj.exe
File opened for modification	C:\Windows\SysWOW64\Fqkocpod.exe	Fmocba32.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hapaemll.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hpgkkioa.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ijkljp32.exe	Idacmfkj.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	Fflaff32.exe
File opened for modification	C:\Windows\SysWOW64\Idacmfkj.exe	Iabgaklg.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jaljgidl.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Dcopbp32.exe	Dpacfd32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Bademghm.dll	Fmocba32.exe
File created	C:\Windows\SysWOW64\Fcikolnh.exe	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gppekj32.exe
File created	C:\Windows\SysWOW64\Bejkjg32.dll	Hjhfnccl.exe
File created	C:\Windows\SysWOW64\Hpgkkioa.exe	Himcoo32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Dagiil32.exe	Dhnepfpj.exe
File opened for modification	C:\Windows\SysWOW64\Hcqjfh32.exe	Habnjm32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Eqalmafo.exe	Ehjdldfl.exe
File opened for modification	C:\Windows\SysWOW64\Ehonfc32.exe	Eofinnkf.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Dofqcl32.dll	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Lpdcae32.dll	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Gfcgge32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Ijaida32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Hofddb32.dll	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Fobiilai.exe	Fmclmabe.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6312	6200	WerFault.exe	254

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejbkehcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibpam32.dll"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofddb32.dll"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhfnccl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dofpgqji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dadlclim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlfmg32.dll"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjobcj32.dll"	Jpgdbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbppbgjd.dll"	Dhcnke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbajhpfb.dll"	Gidphq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjbako32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfliccm.dll"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbamkcqa.dll"	Hjfihc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebnoikqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcikolnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcioj32.dll"	Hclakimb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haggelfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbjkl32.dll"	Fcnejk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhbep32.dll"	Fjqgff32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2648	3028	d3a688b440d7d9eb94dc34cdb01e6af0d2b6cddf5ccc2960921cff41216361da.exe	84
PID 3028 wrote to memory of 2648	3028	d3a688b440d7d9eb94dc34cdb01e6af0d2b6cddf5ccc2960921cff41216361da.exe	84
PID 3028 wrote to memory of 2648	3028	d3a688b440d7d9eb94dc34cdb01e6af0d2b6cddf5ccc2960921cff41216361da.exe	84
PID 2648 wrote to memory of 1272	2648	Dpacfd32.exe	85
PID 2648 wrote to memory of 1272	2648	Dpacfd32.exe	85
PID 2648 wrote to memory of 1272	2648	Dpacfd32.exe	85
PID 1272 wrote to memory of 840	1272	Dcopbp32.exe	86
PID 1272 wrote to memory of 840	1272	Dcopbp32.exe	86
PID 1272 wrote to memory of 840	1272	Dcopbp32.exe	86
PID 840 wrote to memory of 3124	840	Dofpgqji.exe	87
PID 840 wrote to memory of 3124	840	Dofpgqji.exe	87
PID 840 wrote to memory of 3124	840	Dofpgqji.exe	87
PID 3124 wrote to memory of 3292	3124	Dadlclim.exe	88
PID 3124 wrote to memory of 3292	3124	Dadlclim.exe	88
PID 3124 wrote to memory of 3292	3124	Dadlclim.exe	88
PID 3292 wrote to memory of 2144	3292	Dhnepfpj.exe	89
PID 3292 wrote to memory of 2144	3292	Dhnepfpj.exe	89
PID 3292 wrote to memory of 2144	3292	Dhnepfpj.exe	89
PID 2144 wrote to memory of 1528	2144	Dagiil32.exe	91
PID 2144 wrote to memory of 1528	2144	Dagiil32.exe	91
PID 2144 wrote to memory of 1528	2144	Dagiil32.exe	91
PID 1528 wrote to memory of 3048	1528	Djnaji32.exe	92
PID 1528 wrote to memory of 3048	1528	Djnaji32.exe	92
PID 1528 wrote to memory of 3048	1528	Djnaji32.exe	92
PID 3048 wrote to memory of 3692	3048	Dphifcoi.exe	93
PID 3048 wrote to memory of 3692	3048	Dphifcoi.exe	93
PID 3048 wrote to memory of 3692	3048	Dphifcoi.exe	93
PID 3692 wrote to memory of 4288	3692	Dhcnke32.exe	94
PID 3692 wrote to memory of 4288	3692	Dhcnke32.exe	94
PID 3692 wrote to memory of 4288	3692	Dhcnke32.exe	94
PID 4288 wrote to memory of 2276	4288	Domfgpca.exe	96
PID 4288 wrote to memory of 2276	4288	Domfgpca.exe	96
PID 4288 wrote to memory of 2276	4288	Domfgpca.exe	96
PID 2276 wrote to memory of 1004	2276	Ejbkehcg.exe	97
PID 2276 wrote to memory of 1004	2276	Ejbkehcg.exe	97
PID 2276 wrote to memory of 1004	2276	Ejbkehcg.exe	97
PID 1004 wrote to memory of 1048	1004	Ebnoikqb.exe	98
PID 1004 wrote to memory of 1048	1004	Ebnoikqb.exe	98
PID 1004 wrote to memory of 1048	1004	Ebnoikqb.exe	98
PID 1048 wrote to memory of 4656	1048	Ejegjh32.exe	99
PID 1048 wrote to memory of 4656	1048	Ejegjh32.exe	99
PID 1048 wrote to memory of 4656	1048	Ejegjh32.exe	99
PID 4656 wrote to memory of 3884	4656	Elccfc32.exe	100
PID 4656 wrote to memory of 3884	4656	Elccfc32.exe	100
PID 4656 wrote to memory of 3884	4656	Elccfc32.exe	100
PID 3884 wrote to memory of 3876	3884	Ehjdldfl.exe	101
PID 3884 wrote to memory of 3876	3884	Ehjdldfl.exe	101
PID 3884 wrote to memory of 3876	3884	Ehjdldfl.exe	101
PID 3876 wrote to memory of 4604	3876	Eqalmafo.exe	103
PID 3876 wrote to memory of 4604	3876	Eqalmafo.exe	103
PID 3876 wrote to memory of 4604	3876	Eqalmafo.exe	103
PID 4604 wrote to memory of 4696	4604	Ecphimfb.exe	104
PID 4604 wrote to memory of 4696	4604	Ecphimfb.exe	104
PID 4604 wrote to memory of 4696	4604	Ecphimfb.exe	104
PID 4696 wrote to memory of 2280	4696	Ehlaaddj.exe	105
PID 4696 wrote to memory of 2280	4696	Ehlaaddj.exe	105
PID 4696 wrote to memory of 2280	4696	Ehlaaddj.exe	105
PID 2280 wrote to memory of 3316	2280	Eofinnkf.exe	106
PID 2280 wrote to memory of 3316	2280	Eofinnkf.exe	106
PID 2280 wrote to memory of 3316	2280	Eofinnkf.exe	106
PID 3316 wrote to memory of 1448	3316	Ehonfc32.exe	107
PID 3316 wrote to memory of 1448	3316	Ehonfc32.exe	107
PID 3316 wrote to memory of 1448	3316	Ehonfc32.exe	107
PID 1448 wrote to memory of 4368	1448	Eqfeha32.exe	108

C:\Users\Admin\AppData\Local\Temp\d3a688b440d7d9eb94dc34cdb01e6af0d2b6cddf5ccc2960921cff41216361da.exe
"C:\Users\Admin\AppData\Local\Temp\d3a688b440d7d9eb94dc34cdb01e6af0d2b6cddf5ccc2960921cff41216361da.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\Dpacfd32.exe
  C:\Windows\system32\Dpacfd32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\Dcopbp32.exe
    C:\Windows\system32\Dcopbp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\SysWOW64\Dofpgqji.exe
      C:\Windows\system32\Dofpgqji.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\Windows\SysWOW64\Dadlclim.exe
        
        C:\Windows\system32\Dadlclim.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
      - C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Dhcnke32.exe
        
        C:\Windows\system32\Dhcnke32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        23⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        24⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1008
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        32⤵
        Executes dropped EXE
        
        PID:4628
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        33⤵
        Executes dropped EXE
        
        PID:1344
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1620
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:412
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        44⤵
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        46⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        48⤵
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        49⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        50⤵
        Executes dropped EXE
        
        PID:816
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        51⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        52⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        65⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        66⤵
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4116
        
        C:\Windows\SysWOW64\Himcoo32.exe
        
        C:\Windows\system32\Himcoo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        69⤵
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        70⤵
        Modifies registry class
        
        PID:4424
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        71⤵
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        73⤵
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        75⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        76⤵
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        77⤵
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        79⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        80⤵
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1592
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        82⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        83⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        84⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        85⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        89⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        90⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        91⤵
        Drops file in System32 directory
        
        PID:5424
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        92⤵
        Modifies registry class
        
        PID:5472
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5548
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5588
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5672
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        98⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        99⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        100⤵
        Drops file in System32 directory
        
        PID:5792
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        102⤵
        Drops file in System32 directory
        
        PID:5884
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5924
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5964
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        105⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6044
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        107⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        108⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        109⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5164
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5252
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5440
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5532
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        114⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        115⤵
        Modifies registry class
        
        PID:5664
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        116⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5740
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5836
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5956
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        121⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        122⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        124⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5700
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        127⤵
        Modifies registry class
        
        PID:5804
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5932
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        129⤵
        Modifies registry class
        
        PID:6072
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        130⤵
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        132⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5824
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        135⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        136⤵
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        137⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        138⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5784
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        140⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        141⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        142⤵
        Drops file in System32 directory
        
        PID:6168
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        143⤵
        Drops file in System32 directory
        
        PID:6204
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        144⤵
        Drops file in System32 directory
        
        PID:6252
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        145⤵
        Modifies registry class
        
        PID:6292
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        147⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        148⤵
        Modifies registry class
        
        PID:6416
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        149⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        150⤵
        Drops file in System32 directory
        
        PID:6500
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6544
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6584
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6628
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        155⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6740
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        156⤵
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6860
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6908
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        160⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        161⤵
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7040
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        163⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        164⤵
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7164
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        166⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6200 -s 404
        167⤵
        Program crash
        
        PID:6312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6200 -ip 6200
1⤵
PID:6300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dadlclim.exe

Filesize
352KB

MD5
92fe0a42683ade1474b59edfe1ae497d

SHA1
f92c763b3142ba09f4265d6bf81c7c60d4784fda

SHA256
e2dbacc120c61f1b9966a371830db3dae9201ea54029af65d01bdd7e6bea4af0

SHA512
43deccc6537fdd0feb5db3df8b4ad0acd513be7508fd03f67a47f844d4ed044e4aa2e2b9eb4cb8fc28eb0211e91a0c9ce1811f40d6cde0d3cd9576c8dd09fbf8

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
352KB

MD5
2ac5f3c2d1b30c2cf60db5b2f75e6d00

SHA1
ee8152a5fb02cf3ed6381e863c1330af22f70dec

SHA256
2112661d8598dd478239907fa8b0e482bddd8db42b7f6a0518359978f2c71256

SHA512
dc301bd436c577f74bd7a8214e7b65a88727dcd8f76136207045d10d49e9befec355b45f8a3a800f8432169de6f27a8efdc982c0d2b2141798713fbc15cae1ec

Download Submit
C:\Windows\SysWOW64\Dcopbp32.exe

Filesize
352KB

MD5
7fb86d6ed310b2d9a31218a95b07ebf9

SHA1
e059b9771d48ae0443f4d217bc8377bde6f20a14

SHA256
54a7fbedf7a4fa4788ca0cbcb44eb5705dc4a8e6c90c64e58d59354d52b47c9d

SHA512
a53a04d37cdbfb8d396e0a93e6f78a45defe124d4cfe69fdff40a741660d18d4c516f8e77af302e532a6100c51f263ab6e8187ab7e45a685437478282101744c

Download Submit
C:\Windows\SysWOW64\Dhcnke32.exe

Filesize
352KB

MD5
629c9d783d4e3025db4d5567680fd0bf

SHA1
6ce011600aa750da34facc78add741eecd03d6ce

SHA256
cc79460a4c74f011e4ed4cdab58bf71fb1c3db8a639c9c73c4ba8a1c9d0081d7

SHA512
f8e1601cd420f7d63e02435c1504ed2060a1a1b56775b9478887787367f2fdace4fb918d35528509a893bf9adb438adb651c55301569e73fb2411e2e19be0318

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
352KB

MD5
05036857da3421046ee5c1da9706a0f8

SHA1
f266ff5c2fd76a17200e70b0210a06a5c9d3faef

SHA256
7bf46b301c4c3e0899c66f3bfbafcded8a516d7dd95432f1e6c1ddc2aa5f9239

SHA512
524291949bff3854ca65e22d94cf4b426be700b542b94b49e5671cffdfeb465efff110cb0e9db3821db7a5eb8c741c6e90c603dab3a71f1f6d2162f903de4b16

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
352KB

MD5
3d5e5cb7b70eb962134c6059ccd9fc02

SHA1
0f157eb063e8bf4fd2569617f47c6b76c90815df

SHA256
7bc9fb30a74b3691568be42c29fa19e8b878077e7f64d9510f7418fba059a028

SHA512
eee81ae97072d20281d121e25c32a6a021e5a0dfc5df47c455d5599222373328bfbbe8f9ad8d5d24161a40baec9ee37e9f2f4b0b63f5a9187b257a1ad74f0ef0

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
352KB

MD5
5fc436b76e4e46e007e6a746af607af7

SHA1
605401bd1f0c1e99fddea586739b61e18a5c6b8a

SHA256
c17e9d6755439c8bd65f34280c4d471f0cfd6e6248f994719d8d2da71a7b1d13

SHA512
be5a050a1378dd38c15077fc8da77f3f2d352c54cd01b9e6e3542706e80dbcab3bd180fbd89e8883141263ead9a77be5b4e70a3707e050fd8cd14620f1d6433f

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
352KB

MD5
05c47b9bc98687ec82597ac800e8d4d6

SHA1
f3318a752323f366b2e323f222aa1e609d3d913d

SHA256
681466f7e392d80ffdc31d07476fb6fa174f1c59a739c1f9bebc495db8143033

SHA512
387dcc9c0f35281c9c51aa044cad00bc713ec0438f3bc2856d2a121ccba6edea83e6f32dd61914b8a63f79229d2ec8059dabe414f469a69da122bcf4dc61f642

Download Submit
C:\Windows\SysWOW64\Dpacfd32.exe

Filesize
352KB

MD5
519304384d0b0583ca451c87c965bd6a

SHA1
b7a5aa04847d06d795c36ff2462b9646e8e9e0d4

SHA256
df15a327963b8992a3ce451597aaa85046b04d1ed0ec6dbdc9dec109cb3131ff

SHA512
958ddd8e681eb40d8b78dc173b2d281352a6068713d551ccedeeff3e13c3347b3bc2e9e392e02db25f4bde6432cf93e530a809292a807908c1dce24f8d12410e

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
352KB

MD5
43840f1086a1a3557d3e068f49acc488

SHA1
eebd1ae831b6ac67c0f5c92fab0c4bb41663a1ea

SHA256
50bbe92a1d04fb44708b779a1e4f19a744701db00f5fd0c921557b1c53e3e041

SHA512
183639a86373d9c74bb9ad0b8ab03426326ee9729484de9dad9e55b945d5b071b8c80d0c19d0265f35ae99ec53f962b61c8edd2f3ed51cff0825a79e033246af

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
352KB

MD5
8ba37090472039af3dc7070e19145dac

SHA1
c43ebb8e8ed915b2c01c3adc7321c3874f84a20c

SHA256
762f0ff1e54ba1daaf3b6f358d86006e3e436ecc69e8f080e91a8ff8ffd7f0fe

SHA512
d26db43e34f824232e9bf2415784dd65aa27ca1cf675d61ad6b8465cdee1b3edaad1a3a0497d1efc684ce4d490bb60ddd19ddbf04db182d6092154886feee868

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
352KB

MD5
e284e8ada5eab24896756a3036e0d034

SHA1
ba0a99cbe5006dd05fc657335547886539e0d5b4

SHA256
af34559fbb7c9de0991237181cd425bacf2fa329070f856c320df9a4ef03ae21

SHA512
58d4b83ec4a5d5e263859ffabf82cfd7b24077b3f02b9adccbb874bdcb671fce1fcbc8e17413075221140992fb829e61837cbdf8b4fddf5eb4c14c9fc07ebb62

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
352KB

MD5
eed264eeb68d6cc610c81cf527a78d6b

SHA1
7dbc27c344920bb18b791a2134f4bdf571848bdd

SHA256
64ad7feaac5bc8870fa960b884ccc52189d895a3cc99ef0564cb9b703502d260

SHA512
2c6ac94fb3006523130f7db1fec3041e55c5240d8ee91ec6915ba2a4d04f23c5314de86f8a93183af5b22d8ef6d334f8f5e44ff11796ac5400f2c2741cef2c63

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
352KB

MD5
cf950707275340c61e9b1ac0c2b3a7bc

SHA1
6f1872fd64b83c184f40018da2b97be7e8cf6cc6

SHA256
b1e6c4f85a1215f91f3fbde77d169e10e9d441823e5bbc8ab3db0ce052911fdf

SHA512
ea7cd59f019c27edfda3488e0fb984e97c64e210af2ec14e82ae050362cdf058deb5f490c6e344de0cbb65631183c5ae490f33652791d18f71d52740c112a76b

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
352KB

MD5
e1ff0796befd90aeb11f95505e2b71a4

SHA1
9c93d950c36213b6bf0d90370036f09a3d1b650a

SHA256
661705d5dbdd67c0f50ac072c11fe610e48e78624d544c7f575de89dee0c6ad1

SHA512
e57efa7afcd196ac9ae0e01e6e0a22c637e013a09504166247f1fbc395468b3c89f84e5d9bbb34bdd83747b6f7aeac11fb82e5374c4353df73dba98238ec9f18

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
352KB

MD5
ff2e82d10fa1d42ac5b38eb41a9c2ec0

SHA1
cdd0e12ffda8238a0144556ec0846c2a6de39ed7

SHA256
06fb8c9fe52f6d932be442680e878c3ba3632d2133ac7ad831ccacf04271db7b

SHA512
81f3452bf81c011543e9446d8a020229f02d0ee4cb61099049d634904b76f58ceb2320ae995f5776731730983eabee63c03edabb2834f081127e478bfdf19d7b

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
352KB

MD5
64a1a52163ff62d11c67dc8391dd193c

SHA1
3dd0b2bec78d54424b4762e489e5ca9170f95fc2

SHA256
d149881f9c6b0a8ab745cd6761bc9cf1f565942d3c8ddf5703fb731ac6b08bc0

SHA512
61e4b1c523bf4f6f1fe082b84dae3f5f10ebf7fe5eb8f1c80d26974ae098c7640f5abfb13a4094284b898c63926fcf807bd818d84366aa16e460b1399fe78329

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
352KB

MD5
07988b7d136d6dd71a51cb7b13585856

SHA1
89bb37c21330b604b9d81c9ec9220ae6f4179cb5

SHA256
edd46ecd1735637ed8698f0c5f88dd68dd4cb23ab7b9775589d1d40ced95c9d6

SHA512
4739113c4912ce3b7e0088ab345b790d3a89bd56f47665d1ae634759bc14d901be8d195222da02969bf9da15285798768d6065dcd8d9db76227574783f968cb5

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
352KB

MD5
1848452048a77ef2c52b245eae8eeb06

SHA1
ee9967e969ba22ff8ef07ef0e4021414738f096c

SHA256
57a20d80a47f5582137c57f4fc460e4f57998033ef4f2431d1576d568a8998c6

SHA512
0eecb76fc471a3f3c065afa81fffd45bea9b9f8b3781da53f92f0db284aceea10966f32516f90b29bd26cbd7a563bb3c720ceec1a5ab6036164d8a51de0058c7

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
352KB

MD5
6c882159406cb1f38c087bc9681649cc

SHA1
ab985ab5a0b57cc91f8db971d480f03ae62a5e00

SHA256
a8180335c56827a1292be1d8d47762072b2e9b5b5d9645bba9b77a8847df16ae

SHA512
5e89de2e672a1b3c870ca6e5bbb8726d5e60953a64e511cdd83b78955507e3999ffe72163bb837b4322fa8386ecbc79baa471794b1ab348292f6e1dee9aa8b69

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
352KB

MD5
24f54367b9e34fd6f7bca912c1f36071

SHA1
8b6cb3628b5cc9b9b33ab7f0aed804a9fa2847dc

SHA256
00ad112a97a3d78e29a315e34d21f44d267107cff00f894b3758c1f663344472

SHA512
459869e6664d305e456e00449e910f2c767feeda08565f2965dd03ad229454a3f0859873779c77495b0627d344c817be79b484f329faf0ef25493fbf04b30043

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
352KB

MD5
9eb80788b30ef25167a912f387be54da

SHA1
c5a031ee59a3bfef31cc74abc6e20290e3b3bfd2

SHA256
bb4718f78c6bd4b34f47888c47f03e29aa005c5b2777454d6ea40bd21f744817

SHA512
c113890ada9644be7e25272af5f4b0b7396a5ef187a65b8842dba26408c6fea23843196b3ae50c8771cc0ba04f2a4a6ac03c6f50433a2c2bfd198bdb415ac78f

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
352KB

MD5
f8264424d3b198fd0252c32b34634027

SHA1
20818ecd246a3dc46a8c7db07f67cbaebaf809d2

SHA256
d5f0d39c281ed036c80c5cd9b7cedd584785e422a1547fa6905dff2181998948

SHA512
b7ac44f3d85e2e7f34ed50e31698b21598a73107b09966a56f01c388b916c72611bb21bed8b886bd7bda5131e022ef31d09d48c77aca8edea6dbb343e7d8b73b

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
352KB

MD5
290463bb7e1ad5e5698542cada7bb167

SHA1
74b39af58d2445bcc2cd19a79f2eec94b8684d50

SHA256
6028bfaeb38dbecf29c6b55cd2c89abb4b68efe969dedebfdf70bfebddf43d79

SHA512
c896a1245bdfe9f736b604395f5a50c5b4cc994d5d6154da7425cbd1cf76a26e801b1f58efa511e86e75766e377d0b87d47d03de4407ad83c32ddd6dcecbd16b

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
352KB

MD5
fa8230f5c3e99ddc4a7ec4c0ff951d19

SHA1
41695782db4de8f3ceea0a345aa5305635e00c0f

SHA256
7eb4a51ffb82ce9b4a535fb50af7b96199fb95f5e3cb069f565995bef55fa730

SHA512
2f11490fdf6d5d00fbd6e87ac86303194064b8c07ceb13a407c6b18152e3336d61e93d1a2b3893cc77127f5bb38ff568b9981417c59d11ef5b0ffc36e987db53

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
352KB

MD5
caca8de6497364cfbe0edb6ce644310f

SHA1
288883037faae1c62819691ac3b701913729a465

SHA256
46990493fa522066b07273cb0c03aa1d44a7084e7ee1fe06f59dee578ec2d23d

SHA512
df45fe1f8370f0f6ae74f924e3620cf765c9dcb7c7b09aeac3cf8b7a1b6c710adfc6e6f07db60e2ae87942b7bc263b797a109ce56f073effad2a1cb8f070f79b

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
352KB

MD5
f725c4616ffb329ab7b81c8bbfc5f841

SHA1
c3b94a488aebe9e2b3f6741ad09bcb8a8b168c2f

SHA256
67968a811e7facb7f8e7b88c7e54f4db014adf6ceee15fa203523761f953cd64

SHA512
b33a6a319f1b7b8adc2b9ec55392d350058d7e1d70a768c564406ff9162f4bd2c630c5333d87e256a9ba32b2822efea6ff1f9379157c8593be1f7fd311aae9c1

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
352KB

MD5
e32b6c5d28183493eecb13dc70482fc8

SHA1
a8cc45ab4742914c12fea318769942723be73c04

SHA256
fbf8f8fbf052a153b333d30b49372dead4f176e6ef58e80e29e104daf137007a

SHA512
49969ee59e5530323c7afbde2395252402748164fa85f276d4d703b331d0aedc00a0c1e7ba8b678aec8f72bc97154092b8057f0c535002a367d18673ff3c821f

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
352KB

MD5
5d6682500069bc09ccc4fbb6c13ba335

SHA1
b323707c7f064a10fb53642fbac7b5581c6465bc

SHA256
905e2cb67a5d2f90e2dc876866b17e3622cdae83226c4a79c483f3f0c46b6bcb

SHA512
b947650370565ed312b5fcad611fdf9b469d94176df9654a654264776c4be7e926168ebc3c1b64156a117229009d68679f016fc1cd4696692c1a5cf1ac59a94e

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
352KB

MD5
9f9c6557ac1001ae106e1a39804512a3

SHA1
7d0d77856458d45c26573d8c61c8b92ae1fc9ad1

SHA256
43d889e310d2e67bdf4017530c2f6b933535388eefeb94fe68f301de79b2fee0

SHA512
c2fad718dc0880cf9928dee0bf2dec1eda43399a5947ead4405bef1e116c7f21d7fff9a2e257c501f30c17b634cde49620ceaadc0d860fba044b6435413041ef

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
352KB

MD5
fc4216979e4a6f3e37656e9b001a7252

SHA1
25fcccb9ccf4889fdbb33131cfcf73e7078bee25

SHA256
0bd0a1cf35774453ccf3ca89ea434594080f864db28015d815483c87f28a5b29

SHA512
1d04cf084f63de500bbbfc9d0913fe6c19e1c9b0cde97730e548aad331671c453df489ff035306136205e8378c390eb71159d3d895e0858020c33072cca2a91b

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
352KB

MD5
f53312f1511dc4192d3d7643e442792d

SHA1
c666d0dce89a6276b9dc3f2b52523df79f1dddad

SHA256
49b9fa0d0242441807f8c8fd510ff80751719aa8647a0aac0b98c48cd663f2eb

SHA512
01f08d27b583aa31eae1dd42680050906521a4ca3f8d5fbab234bb765ae08d70e3f7e991dba77c2ac458514fbf84408282bf6b45b0a35a34a9bfa2c1eb05c327

Download Submit
C:\Windows\SysWOW64\Iakaql32.exe

Filesize
192KB

MD5
32049b29afdf1762fcb4f7c804957747

SHA1
24f36fea44e8313bcfb2ba5873ebc8730c99f016

SHA256
5c01f402cae737ae2b91ab15625cada98cc92b5a71c92af18c077558c7e036f4

SHA512
ed4c4b6531708331f5a59cce660b495adc13ef70e9f1d2ead0953f45e25413a6008b30e050316462df7f1c7deb4e7cf15a18bbf3f0ed99aa40242e89884d1275

Download Submit
C:\Windows\SysWOW64\Idacmfkj.exe

Filesize
352KB

MD5
5a5ae6b7ae1acb29146e4e3593385b32

SHA1
7b494a7e7ce40e058d027a6dc43ac8bd8ca16831

SHA256
26a1917baace8157ba00d969214ac7d41d95cc18b7b968df3abdc830c3f49564

SHA512
e50fa03e25318ad6b29cfa94cff43650f6f52a61c959f496fe4ca065b8bdf64eabb6912c94b50de5ad084e47fc8d22ca3734d899e5453859a63bf2cc85027c12

Download Submit
C:\Windows\SysWOW64\Iiibkn32.exe

Filesize
352KB

MD5
24b7897dc0b81bfb1b06888e533fa058

SHA1
246500dd48f6c84cd98a52ff1a8c1614b0ce5e7b

SHA256
7ba223fc1f0924202deac7fcb34fed2f540cb34fa1708843512550037b5660c3

SHA512
c8b3e319c773bb73036b0f54b876b8886b50d300d63e8029766728702020643cc118298df58cf8b543dcad02a8eaf20b5d4026eebaee8839ad155a1f50d22e6c

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
352KB

MD5
fad56b185ba0d838cf00a339e3c97950

SHA1
6424304e7e6a48eafabdb85146ddc06928911fb1

SHA256
1a91c5c2ff14f6ba510ece4f7c49b2e042e6595c86e2c1faf17dddb3e3548b3f

SHA512
ec4bd657116aa8e0cc6ea922f8ecb8396b522eb6bc1fcda38211f587372ccec1b7edb304282886473b1821025d3f6c8757050479f13a2edc326f5755a9741918

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
352KB

MD5
e20f1c6b40eb9a8f834827fd8044e845

SHA1
fb7d5dd50344aa65961b58cbb3848d54696ef90f

SHA256
6a14637c95dd91b87e47d6ed308340b7a2b1e1ab1f5029ff12c25c94aa17bf76

SHA512
b057b3ae778bb68cd1aa84d6fc46e1b33a498866cadcacf77cb66054c7a808887487a940d374f5e7789b798a7ac494c753d0d472283728f9d2bce84468d8afff

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
352KB

MD5
2b536934442a5247034ab643f979e40e

SHA1
7d69a1524b8a49efcf115581591281126ae69cca

SHA256
bfe5bf07ec452732876128471a0a26b7fa97d3cc71345555d46792bc580d4f56

SHA512
df8c3cce3324b6af1fea722e7e4d221f45d2763d39e9206b8b07a03cffe016f4394ab4fd30b691bf5a73a3a36832d907501cfca966122a8b2c550eedb3bdc718

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
352KB

MD5
00071b9b527cdc3d40c4e7dc68d5f41f

SHA1
226301003f7169ad59886ecfaa8e4c978e00ff5a

SHA256
6d02708f5e3c6548e0b58e33e8b016bfed12350a72198764f3c70cb58f467a6f

SHA512
a6460c06d56d8f1f72ef2156cef22322b4fe73a7125d23506a727b3d3899dc41a9c0bca44fa97e525e759046686d048be43fa21a6ebfce1ea58b4a54ead69641

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
352KB

MD5
6591b6bdecb9e5e5c0ce8f32287fae39

SHA1
f8d02f98e39b923827b1e5402d3223e7493a44db

SHA256
65175011e692ccaa8d6b58447813b09c2b1d63db51fdf44f8b2ab5d11a805490

SHA512
8d52d0115e9966798cf35a7f82ba8ae6b64607560406860edf28b203263bf3efad74e6e53002ab740553856051f94d2785bef561f0f4e774c572b5f1db345f04

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
352KB

MD5
829107ff53fd06f11df89741aa2b7d73

SHA1
08698f4fb1677768211cb3acd5792327c8b75ddd

SHA256
7b4deac2836653a6863a55d8e4911946f9c8f3f4f00fba1c71fbe43d9710bd43

SHA512
fe9c9b3ec74938b22a1623c939ff77796ad946871add297b00b184909a6d4d338b3fac4ecd3c9bacf89c5fab233b7d8839ddc5570772987048c57133ae3e3e63

Download Submit
memory/224-303-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/368-383-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/412-308-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/516-509-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/748-483-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/812-298-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/816-348-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/840-28-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/840-639-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1004-696-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1004-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1008-200-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1008-1343-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1040-346-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1048-105-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1048-702-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1272-17-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1272-637-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1344-306-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1448-172-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1464-1251-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1464-479-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1512-331-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1528-1379-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1528-57-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1528-666-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1592-1233-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1920-404-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2068-319-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2068-1305-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2144-48-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2144-659-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2192-354-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2276-1371-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2276-694-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2276-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2280-153-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2360-423-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2428-360-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2460-411-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2616-1345-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2616-196-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-9-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2648-627-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2708-521-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2840-538-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3028-4-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3028-0-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3028-614-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3048-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3048-671-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3120-377-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3124-33-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3124-646-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3292-45-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3292-653-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3304-519-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3364-1253-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3372-457-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3452-195-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3500-1307-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3556-376-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3612-1332-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3612-304-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3656-389-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3692-677-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3692-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3876-133-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3884-125-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4116-1261-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4116-450-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4276-487-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4288-81-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4288-684-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4368-176-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4424-1254-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4424-467-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4464-532-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4484-307-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4604-136-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4628-305-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4636-300-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4656-113-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4656-708-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4696-145-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4896-503-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4928-302-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4968-439-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4980-417-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4984-445-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5032-497-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5072-325-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5140-548-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5216-555-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5260-566-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5296-567-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5304-1148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5336-709-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5348-573-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5392-583-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5424-585-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5508-596-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5548-602-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5588-612-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5628-1203-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5628-615-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5664-1165-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5672-1200-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5672-621-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5716-1199-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5756-1197-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5792-640-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5840-647-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5880-1159-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5932-1139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6044-1183-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6044-678-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6252-1106-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/7076-1068-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/7128-1067-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads