f333b5d5105caf7de4e11a401e0e67f1bf91564bde9ef6d064f0dc8b641813e1

Analysis

max time kernel
143s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f333b5d5105caf7de4e11a401e0e67f1bf91564bde9ef6d064f0dc8b641813e1.exe
Size

479KB
MD5

460acdfccdea5218e3dff4379e11e3fa
SHA1

797f6976f9ac35ba1413bf68d0a404ea1b940079
SHA256

f333b5d5105caf7de4e11a401e0e67f1bf91564bde9ef6d064f0dc8b641813e1
SHA512

0a8c059941ca518e88a9713353993d115dadfe8a570114ad57e000cf0946ad8395bec693413d7f3df118f8019e6af4ce5bccb1c47ac92f01c64c852976ed5806
SSDEEP

6144:AFI7DVJAAVIRJ6EQnT2leTLgNPx33fpu2leTLg:Syi1RJ6EQ6Q2drQ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbgkfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifmnpnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmnaakne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjfgphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dchbhn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eleplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe

Executes dropped EXE 64 IoCs

pid	Process
3948	Clqnjf32.exe
2680	Ccjfgphj.exe
3196	Ceibclgn.exe
3144	Chgoogfa.exe
3628	Doccaall.exe
116	Dofpgqji.exe
4952	Djlddi32.exe
3800	Dagiil32.exe
448	Dhqaefng.exe
1392	Dphifcoi.exe
2948	Dchbhn32.exe
2212	Efgodj32.exe
2772	Epmcab32.exe
2256	Ehhgfdho.exe
4112	Ebploj32.exe
2012	Ejgdpg32.exe
2352	Eleplc32.exe
2856	Ebbidj32.exe
748	Ecbenm32.exe
1020	Efpajh32.exe
4128	Eqfeha32.exe
4920	Ffbnph32.exe
3680	Fcgoilpj.exe
3692	Fjqgff32.exe
1680	Fomonm32.exe
2776	Fjcclf32.exe
4916	Fqmlhpla.exe
2356	Fckhdk32.exe
4512	Ffjdqg32.exe
2532	Fbqefhpm.exe
1656	Gcpapkgp.exe
4972	Gbcakg32.exe
1420	Gcbnejem.exe
3608	Gjlfbd32.exe
3832	Goiojk32.exe
4792	Gbgkfg32.exe
3164	Giacca32.exe
2844	Gfedle32.exe
4600	Gqkhjn32.exe
2424	Gcidfi32.exe
4176	Gifmnpnl.exe
3960	Gppekj32.exe
3524	Hjfihc32.exe
840	Hapaemll.exe
4772	Hfljmdjc.exe
4032	Hikfip32.exe
3016	Habnjm32.exe
1440	Hcqjfh32.exe
4192	Hfofbd32.exe
4852	Hbeghene.exe
1672	Hpihai32.exe
3400	Hbhdmd32.exe
844	Hjolnb32.exe
3872	Haidklda.exe
4228	Icgqggce.exe
1956	Ijaida32.exe
1412	Impepm32.exe
5048	Icjmmg32.exe
2828	Ijdeiaio.exe
2740	Iannfk32.exe
4448	Iiibkn32.exe
872	Ijhodq32.exe
4580	Imgkql32.exe
1864	Ibccic32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aaokiafg.dll	f333b5d5105caf7de4e11a401e0e67f1bf91564bde9ef6d064f0dc8b641813e1.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Fomonm32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Gifmnpnl.exe	Gcidfi32.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Qdhoohmo.dll	Jdemhe32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfcecp.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Kbmfdgkm.dll	Kgbefoji.exe
File opened for modification	C:\Windows\SysWOW64\Lijdhiaa.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gqkhjn32.exe
File opened for modification	C:\Windows\SysWOW64\Jdcpcf32.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Knceql32.dll	Dhqaefng.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gcbnejem.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ecbenm32.exe	Ebbidj32.exe
File opened for modification	C:\Windows\SysWOW64\Eqfeha32.exe	Efpajh32.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Honckk32.dll	Hikfip32.exe
File created	C:\Windows\SysWOW64\Gfedle32.exe	Giacca32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Jgiacnii.dll	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Jeiooj32.dll	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Oggipmfe.dll	Fcgoilpj.exe
File created	C:\Windows\SysWOW64\Hndnbj32.dll	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Klebid32.dll	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kkpnlm32.exe
File created	C:\Windows\SysWOW64\Dagiil32.exe	Djlddi32.exe
File created	C:\Windows\SysWOW64\Bbopfj32.dll	Dagiil32.exe
File opened for modification	C:\Windows\SysWOW64\Ehhgfdho.exe	Epmcab32.exe
File created	C:\Windows\SysWOW64\Lghekack.dll	Ffjdqg32.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Eleplc32.exe	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gbgkfg32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Dofpgqji.exe	Doccaall.exe
File opened for modification	C:\Windows\SysWOW64\Fomonm32.exe	Fjqgff32.exe
File created	C:\Windows\SysWOW64\Goiojk32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Clqnjf32.exe	f333b5d5105caf7de4e11a401e0e67f1bf91564bde9ef6d064f0dc8b641813e1.exe
File opened for modification	C:\Windows\SysWOW64\Dofpgqji.exe	Doccaall.exe
File opened for modification	C:\Windows\SysWOW64\Eleplc32.exe	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Mjlcankg.dll	Jagqlj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6368	6232	WerFault.exe	235

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Honckk32.dll"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egoqlckf.dll"	Icgqggce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chgoogfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcepmcb.dll"	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbgkfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hcqjfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeecjqkd.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doccaall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhqaefng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eleplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgabcngj.dll"	Gppekj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hndnbj32.dll"	Fjqgff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmljla32.dll"	Ccjfgphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omlami32.dll"	Doccaall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgaen32.dll"	Efpajh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jmbklj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dchbhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll"	Gcpapkgp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 3948	740	f333b5d5105caf7de4e11a401e0e67f1bf91564bde9ef6d064f0dc8b641813e1.exe	82
PID 740 wrote to memory of 3948	740	f333b5d5105caf7de4e11a401e0e67f1bf91564bde9ef6d064f0dc8b641813e1.exe	82
PID 740 wrote to memory of 3948	740	f333b5d5105caf7de4e11a401e0e67f1bf91564bde9ef6d064f0dc8b641813e1.exe	82
PID 3948 wrote to memory of 2680	3948	Clqnjf32.exe	83
PID 3948 wrote to memory of 2680	3948	Clqnjf32.exe	83
PID 3948 wrote to memory of 2680	3948	Clqnjf32.exe	83
PID 2680 wrote to memory of 3196	2680	Ccjfgphj.exe	84
PID 2680 wrote to memory of 3196	2680	Ccjfgphj.exe	84
PID 2680 wrote to memory of 3196	2680	Ccjfgphj.exe	84
PID 3196 wrote to memory of 3144	3196	Ceibclgn.exe	85
PID 3196 wrote to memory of 3144	3196	Ceibclgn.exe	85
PID 3196 wrote to memory of 3144	3196	Ceibclgn.exe	85
PID 3144 wrote to memory of 3628	3144	Chgoogfa.exe	86
PID 3144 wrote to memory of 3628	3144	Chgoogfa.exe	86
PID 3144 wrote to memory of 3628	3144	Chgoogfa.exe	86
PID 3628 wrote to memory of 116	3628	Doccaall.exe	87
PID 3628 wrote to memory of 116	3628	Doccaall.exe	87
PID 3628 wrote to memory of 116	3628	Doccaall.exe	87
PID 116 wrote to memory of 4952	116	Dofpgqji.exe	88
PID 116 wrote to memory of 4952	116	Dofpgqji.exe	88
PID 116 wrote to memory of 4952	116	Dofpgqji.exe	88
PID 4952 wrote to memory of 3800	4952	Djlddi32.exe	89
PID 4952 wrote to memory of 3800	4952	Djlddi32.exe	89
PID 4952 wrote to memory of 3800	4952	Djlddi32.exe	89
PID 3800 wrote to memory of 448	3800	Dagiil32.exe	90
PID 3800 wrote to memory of 448	3800	Dagiil32.exe	90
PID 3800 wrote to memory of 448	3800	Dagiil32.exe	90
PID 448 wrote to memory of 1392	448	Dhqaefng.exe	91
PID 448 wrote to memory of 1392	448	Dhqaefng.exe	91
PID 448 wrote to memory of 1392	448	Dhqaefng.exe	91
PID 1392 wrote to memory of 2948	1392	Dphifcoi.exe	92
PID 1392 wrote to memory of 2948	1392	Dphifcoi.exe	92
PID 1392 wrote to memory of 2948	1392	Dphifcoi.exe	92
PID 2948 wrote to memory of 2212	2948	Dchbhn32.exe	93
PID 2948 wrote to memory of 2212	2948	Dchbhn32.exe	93
PID 2948 wrote to memory of 2212	2948	Dchbhn32.exe	93
PID 2212 wrote to memory of 2772	2212	Efgodj32.exe	95
PID 2212 wrote to memory of 2772	2212	Efgodj32.exe	95
PID 2212 wrote to memory of 2772	2212	Efgodj32.exe	95
PID 2772 wrote to memory of 2256	2772	Epmcab32.exe	96
PID 2772 wrote to memory of 2256	2772	Epmcab32.exe	96
PID 2772 wrote to memory of 2256	2772	Epmcab32.exe	96
PID 2256 wrote to memory of 4112	2256	Ehhgfdho.exe	98
PID 2256 wrote to memory of 4112	2256	Ehhgfdho.exe	98
PID 2256 wrote to memory of 4112	2256	Ehhgfdho.exe	98
PID 4112 wrote to memory of 2012	4112	Ebploj32.exe	99
PID 4112 wrote to memory of 2012	4112	Ebploj32.exe	99
PID 4112 wrote to memory of 2012	4112	Ebploj32.exe	99
PID 2012 wrote to memory of 2352	2012	Ejgdpg32.exe	100
PID 2012 wrote to memory of 2352	2012	Ejgdpg32.exe	100
PID 2012 wrote to memory of 2352	2012	Ejgdpg32.exe	100
PID 2352 wrote to memory of 2856	2352	Eleplc32.exe	101
PID 2352 wrote to memory of 2856	2352	Eleplc32.exe	101
PID 2352 wrote to memory of 2856	2352	Eleplc32.exe	101
PID 2856 wrote to memory of 748	2856	Ebbidj32.exe	102
PID 2856 wrote to memory of 748	2856	Ebbidj32.exe	102
PID 2856 wrote to memory of 748	2856	Ebbidj32.exe	102
PID 748 wrote to memory of 1020	748	Ecbenm32.exe	103
PID 748 wrote to memory of 1020	748	Ecbenm32.exe	103
PID 748 wrote to memory of 1020	748	Ecbenm32.exe	103
PID 1020 wrote to memory of 4128	1020	Efpajh32.exe	104
PID 1020 wrote to memory of 4128	1020	Efpajh32.exe	104
PID 1020 wrote to memory of 4128	1020	Efpajh32.exe	104
PID 4128 wrote to memory of 4920	4128	Eqfeha32.exe	105

C:\Users\Admin\AppData\Local\Temp\f333b5d5105caf7de4e11a401e0e67f1bf91564bde9ef6d064f0dc8b641813e1.exe
"C:\Users\Admin\AppData\Local\Temp\f333b5d5105caf7de4e11a401e0e67f1bf91564bde9ef6d064f0dc8b641813e1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\Clqnjf32.exe
  C:\Windows\system32\Clqnjf32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\Ccjfgphj.exe
    C:\Windows\system32\Ccjfgphj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\Ceibclgn.exe
      C:\Windows\system32\Ceibclgn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Windows\SysWOW64\Chgoogfa.exe
        
        C:\Windows\system32\Chgoogfa.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
      - C:\Windows\SysWOW64\Doccaall.exe
        
        C:\Windows\system32\Doccaall.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3628
        
        C:\Windows\SysWOW64\Dofpgqji.exe
        
        C:\Windows\system32\Dofpgqji.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Djlddi32.exe
        
        C:\Windows\system32\Djlddi32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Dhqaefng.exe
        
        C:\Windows\system32\Dhqaefng.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Dchbhn32.exe
        
        C:\Windows\system32\Dchbhn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4920
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        26⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        27⤵
        Executes dropped EXE
        
        PID:2776
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        33⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3832
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        44⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4032
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4852
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        53⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:844
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3872
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        58⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        59⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        65⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        67⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3864
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        70⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4540
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        72⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        73⤵
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        75⤵
        Drops file in System32 directory
        
        PID:3344
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        76⤵
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        78⤵
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        81⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        82⤵
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        83⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        85⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        87⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5288
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        90⤵
        Modifies registry class
        
        PID:5376
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        91⤵
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        93⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5560
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        95⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        97⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5764
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5860
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5900
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        102⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5984
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        104⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6072
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        107⤵
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        108⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        109⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        110⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        111⤵
        Modifies registry class
        
        PID:5440
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5452
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        113⤵
        Drops file in System32 directory
        
        PID:5492
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5612
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5724
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        117⤵
        Modifies registry class
        
        PID:5784
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        118⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        119⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6056
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6128
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        122⤵
        Drops file in System32 directory
        
        PID:5220
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        123⤵
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        124⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        125⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        126⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6036
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5336
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        133⤵
        Modifies registry class
        
        PID:5648
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        134⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6008
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        136⤵
        Modifies registry class
        
        PID:5184
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        137⤵
        Drops file in System32 directory
        
        PID:5600
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        140⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        141⤵
        Modifies registry class
        
        PID:6104
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5920
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5712
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6152
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        145⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        146⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6232 -s 408
        147⤵
        Program crash
        
        PID:6368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6232 -ip 6232
1⤵
PID:6300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccjfgphj.exe

Filesize
479KB

MD5
46cc238c59d772955afd6239d1f7fec8

SHA1
25048e0949aa2d24f35a7ba4936821766efc7321

SHA256
b64ef6fdaa7c584c9f6983ed406c4589e6860e5060fe124d6f49877f285a5678

SHA512
b8714dc1289e2d67a76ade151966ff974c9134c6b02239935be1b245477e8f7f75879ab7b34c04bd15f20b4b201612633d4d31c36144d179a8fc478d0c4bafbb

Download Submit
C:\Windows\SysWOW64\Ceibclgn.exe

Filesize
479KB

MD5
2cd2680a7a819a726d2fc0e445a9c16f

SHA1
3655f8db81650d79c5ad06c04706e18f58ad4432

SHA256
3899e6b25441b02438e248a958fcbf31336f33144753a131f0400602856cabdc

SHA512
924987fa242478761c5564cbe8c9e7c74f071bb525cc03ae65cda063649814577332d197169e43fa63c66a149bf16b7067020759f04e503ace9eaeba6243ba9c

Download Submit
C:\Windows\SysWOW64\Chgoogfa.exe

Filesize
479KB

MD5
a6c54f7b05dfbc36cc55a7d9c8929634

SHA1
19e17e2527796b3a0672a5a532a874f9678b757a

SHA256
d45669b418bb9372c3c399a13acb63a170ea020c534a2b39765d074f4521aba7

SHA512
d87324cd29ab235b06ef99c4108bd27994f3c7e5d490847217869e02b494e3615db7669d4832cab4cafa8d6427d44f0ef938347ba9190851d5b1889c74962ed1

Download Submit
C:\Windows\SysWOW64\Clqnjf32.exe

Filesize
479KB

MD5
a3eb2c7a2d6386fec3d09bf59ca3e574

SHA1
6ac9be68958bfe0fac3fa0bf9236dc9cb86550f9

SHA256
80185b073a838c52438ad09b64734496a01cde79c6b81ac7d13a2315dbd2e649

SHA512
fd733312fab5855a7b01061acfb73bfcb8978ecb019ab9589060f7f2acdb1305337f3d6a25018b00b9ee90482d87c3c57b9199faad730c8bb06dc8002ef61631

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
479KB

MD5
9b1b67591f3475c0a35ec75a79a07d17

SHA1
d080a670146997423ac40d922edce29a4294d258

SHA256
1aa10075794ae42782ca1056460ee1bf919f93a2dbd6bd990b11bc4196eedfd4

SHA512
391383a25d599ebfc4a4432cb65d54296e1b9c948695d95925f0840f32b29e6eaa8e6ae22238454ebbaaebf18bf8ccbc66c15054fea60ed48eb6035ac0cdf028

Download Submit
C:\Windows\SysWOW64\Dchbhn32.exe

Filesize
479KB

MD5
91d0082844524f66e893446ad864f44f

SHA1
b4ebffcc7a7f95ad22437c75682b2e2020621025

SHA256
7f15d562e42c7d0a0eba9308e98b909bf7bd36b593698932872480609de85fbe

SHA512
95a12845a8a52ef0d27183317bab15cc06e378dd4f907c8850675ab6ab54ec9ecb837a10f1e095d36537eb50056a5446b017b4a0661a31d43a78275cae48f2d8

Download Submit
C:\Windows\SysWOW64\Dhqaefng.exe

Filesize
479KB

MD5
06fdaf3198e706188454596043253be0

SHA1
babc2a76e91adcbd107484be03587338657d8dcc

SHA256
c15706fcdec97e84cefdd7c11c94bbe221640d3e55f6dd6b2b75a4509136fd57

SHA512
91fda5df81d8bfdef5d5a33dc692e8c9d618d4b7b1cc33d89ee813ff50a33eca34395787aca092c4616c0845a79b44dc60f0acd3513918bf136b4fdcaa8b538e

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
479KB

MD5
d5e0c18ab590c3408af029fe67acca24

SHA1
d7d2b2f4de9ba0fb25ffe10420842992cd9d941b

SHA256
2639e2524650bc88d0cc55e005167fd8e43f0403b992bdf8f630641150959499

SHA512
b2b4a69bacee46ffea8859efe94fc5cc595981a8ab697a6d6ddd104f9677e543725ab11aedf59dc43a0318bf95ffc653fe142c8936ffc695272b7ef03a073ccd

Download Submit
C:\Windows\SysWOW64\Doccaall.exe

Filesize
479KB

MD5
856c593b599b6a0bdd4b61e52f4a4a2d

SHA1
1c0c579bfe55c7bc25d03b29057b86b44caec38b

SHA256
1db664efbe3283876af3a0af6fa670ef662422b80ea3aea6b423b4acb7b43407

SHA512
0ab2c190d7925118a918c68b22e969765513c29ad9187247074c92678b805e218843154dd825acde408d6e5ee06a55787e8bdd272cf20023a5112ddc40af766c

Download Submit
C:\Windows\SysWOW64\Dofpgqji.exe

Filesize
479KB

MD5
a45c05bb5fc5dce9cb2fe497ba7023fc

SHA1
d1b6daaf8e11124b3d0c5815266c4b105ea45257

SHA256
24dd49c1d4b342d5f9da33196d31dbc914e15ab5cb8726273d623362715d2045

SHA512
5ce723a7f56c1f91f9947aa5f1a201745f9428e10ce7b75feb7aa8e5a5f90faa5acf696a31345d0d36ed37d88c9d2928199457594ea4badcca6c9ad5713b0d81

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
479KB

MD5
b37b5403caaaafa48d9642af63aa7712

SHA1
d288223438a2657085d94c57a6849c2ccf601665

SHA256
43cefdc7794a81b856c8b645bf36e70ea6a95561bab53febed0d5e8beac51e79

SHA512
f0d7f187265c1cd43bdd611d3577895f4b3af435810387d281cdde9f11de2d6a22b1382bd3e3c1d4048e14bf06ed165218f1807556ca8d91bd58b63187691ca7

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
479KB

MD5
7f8c5b23ec8b5b0a9b0dbaed4c19fda3

SHA1
d4c664bb8234c6c1a2bd79aa0341cad7b17dc598

SHA256
079eeaa2ca7ff89aa61d721b95c98c694a7c1b02c5d3d03cc16d8a9b4f209aa2

SHA512
277fa573bb791c1952d8f90a2b80c539244a677ceea7b116609fd3305d21bd9114d65575b54893ed8586bb804e10137ccd0a58c861296b22501fedcd2e92f9c3

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
479KB

MD5
93bee8b42bc61a234920594e1ea4d88c

SHA1
9e4c76967407d275abf0301f99d3471a50515d2f

SHA256
5ccdff320ef25a7d5354e69cb712df96dde45b25755886919c990d25aef92c4e

SHA512
b518cbc797e9af1e8d867f3841040feeff13967a9b92a12a47f831ed657a68aae91986f2a5daf1aef2283509432ff4634b3c7ea15321a26cc20a8d264d83a2c0

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
479KB

MD5
9dfa8fe9b60ef06e50e9594b5ed2dc1a

SHA1
477d03a3eeb459e79e196e40bb49b5b9417f6540

SHA256
b2e6fc18cdc7602abf41c645ee2855592deacc96227c66c133db1c7c99117d1a

SHA512
79a5e40bf7ada170921d7ad5c6b6ce4d8159d73a3aa2f96715f9aeca74f9a572c558da6e5e7524369ef5eac9d5d5c4f2072dd4fc728c539216af373352d6139a

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
479KB

MD5
919f3e2bf8646a7be8e26f866fba722e

SHA1
cfddefdfbcfc3f46dc73d581554c1efaa3abfaed

SHA256
cacc8f46ea21553273f876b5b072e472a708953246f022be748f2f12d3ab9925

SHA512
6b3667a7f7f407532c6c6a1a370e72e04b9d8e96d4b209a20c82361e21bd3ca0e371823bfa5edd321d6072e4cbf35bee286416993a846e5e82ea300159438325

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
479KB

MD5
19203a85e589a8273bbb47c510be0f6c

SHA1
e737d97eb82f0ca3470391ed05fbf1b8ea09694a

SHA256
5429feba60df20855e819333b81d755a968589e8a943499f51b7f6618a785ae8

SHA512
18d974021239459bf3728b7a9d5414cc1e40616f018c02fc8cb8be2ddf887dc40147c9ad6bb9d50a7b9bdb0ec6ba2206a9b0ec358b9543b3a7d2d1c2f05753fd

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
479KB

MD5
abb0bd00bbe933fb0f9cb94b83a82fb9

SHA1
7d4df9112c458ceb1478debbe54930f81dc38b0c

SHA256
891900e6603ac419f328bc868f990e66ce64dc0b803c925d989f40447e1404ef

SHA512
8fea7b7f309bdbc352dde189ec2b66002f4dcb05071a4cbd623d3ee9b0bf4941439e6f35cc56a3fb4a6af19e868b0307460a7ebde1fe293c73151d6b2b846618

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
479KB

MD5
a351575a537e82a4ef78285bdb395fbc

SHA1
353e58bd30591a55363f7829366b605dcf3a8f2b

SHA256
f698415a8989ccd7f2ab7365682860e59ec53529c41afdad360d7f09660ed95d

SHA512
64bec89fc1dc85a07970a1f0425550ef467da503ba349a52b31ba75d2257131c47e9675c3bb591842a3a12a5598bd0e8d74a8b1d881cb82b912d49b762b5c68f

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
479KB

MD5
02dfb7ebe14b0ca6ae11c1425b6e9a62

SHA1
0d3f335518e6e3e26d9aa6bfd17ec10abc1bf0be

SHA256
b8d4551c9df407a87512608ebf8e4db87be6a4ad8d87d873a4f1f6220df41831

SHA512
2e56c43c48e43099214f9e8ff3f215cba3ca2043e029576455d4c6a66559c4be569c221ea654360c6bc80628579ca544c6e0b10652a2c3f3c0d84c74d62ec449

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
479KB

MD5
213827dfad25705117b036090f3157b3

SHA1
00f75a648d0d64f5bee8bfdcb8eee7b650231775

SHA256
8085f17d157204b6b51a7f64781d2d9bfe80011d5d6d6c919eec067304ea865f

SHA512
2dd3e3434641ca196770b5f62c817b3621752ec22c22042b2a668675f62c0dc70c61f1565a72801e50ed8463ffc6317c78e40778eb95972734339757c88f9a56

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
479KB

MD5
dab025876b8f7282114185f35c300eae

SHA1
c13f6fe34e650727cdd64725adf21dc39e1e4056

SHA256
ffab94e2a6705e314c8988fabed17ccd3255453590b2121bc9aab8ba06a31ec8

SHA512
df40e5071680b5422f8dafed3444d0e34a559fc04ab0e53f77ef5f15200bb249a308f7483e71039a7dfa8cb5cd50331e24a74aff27e4bb52c182420e86255883

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
479KB

MD5
2edce9f7e08c265c785b0fa6a0c0bfee

SHA1
a0dbed936a200bd8657b5dc1a391642899c0c765

SHA256
0dc2a1c6d572c9d5f5099cb9d701283e6f7847cb5f839a96b82bf3d511566d28

SHA512
d81a43b63c0ecb8940787bd752655a9c11b0f3dc57fd26bfc9c3fd121389fc3cc037ade5c881eae1feea759f31ab15a6326bd56d4ce17711a7560aa05da6f663

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
479KB

MD5
e8c28190eb42d312a6763af198bac4c5

SHA1
686557764b31899ea189f53f6bf3d6468b25f9a0

SHA256
e2183b02521da01e2f302ec778249b3739a51b256f76b27661526d1fef13824e

SHA512
68dca0caf62ca6c8ec50bf662a9e9a6fe40eec3bfb86be7506e479bdbfdd2a817c232da59a35b1e3dee29a9fea9bfa87d09a1ea1121206bcf9dd7edc29751271

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
479KB

MD5
53cd543d6f1316cfe88fd3618e48fe3f

SHA1
445429bef4bd047df934b8d9cdadb13f1f6a32cb

SHA256
17a70d1119282e5ba6ff3f5a26e280e3ebed745e1a88b6fc7479ff3a6e061bb2

SHA512
3f0a343c3a54d83859426232bdd406c21895f8f0f9e6474bf8e6ece11ba629b0cb9b191f3142cddecb05a27230ef37b34ea1455f53c68c82212562f09e0a8dae

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
479KB

MD5
7f32c8db24975679e10a29e822df0c6e

SHA1
7d73310eb20f5415b6ff2f77a4cd7cc53630cd96

SHA256
962853888f969588734f588709937035e966bb03f38fb99ca16313a176a76d55

SHA512
a465bc615407240b803ba9c2bb36aedd9e750a9d20a6657b098b1f2c99d32361e656ba4b7e30f5704ff3f6d7014c167d5efc29dfafcf7d70495f4bd21024e34c

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
479KB

MD5
1f2785544b97770d5e012a4a2e4d3152

SHA1
dfbd0bf61d5c7bdde409c1980dd6570320026da6

SHA256
dd305db9fa7b4e5e36a45617f59e1549102f49ef89a6f4690d54a77b7745ab5a

SHA512
9c34203d2e4a4c88087fd0540216d472a3686340835ec8126b6025d7feddb9f2017a2ab89637ee636103f6cda884d49dd2c370c087164f1340641734ba0ec0f1

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
479KB

MD5
15931dcc55824e152691152ab2f774b8

SHA1
6bf5c4e7dbb71893f11ccdc5926a0b02cc5439f9

SHA256
b58596ce4759bb6eb57c36243464b498772e07c8312503124ad1ee997e6b4a2b

SHA512
9d02fedae44c0bee252363f57d4de4b1a3583dc04f24eba938bd953ed8ecbb63990ed13ad1169c706c73feaf4ed73ec6f69d45ee2bd2caed45aa8999249bfaba

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
479KB

MD5
a2e76654fd700600707fb5efda515dc2

SHA1
c37632465755e039abdcf091be5957ed86594991

SHA256
294de29c475f58b6371912dc43f25f0ac77d2662304eb7ef3ea39c69e7d57db4

SHA512
ca26d9a65d434cca2fb9408313f9c98900c72f84184a53cb21fed62e2cafee92022bb5305bb64728fe2a4a1d79c8b5aa86a134429ab3b1cd287720564e0cc8be

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
479KB

MD5
e97b98a73ca44e867a5550d21d1d559e

SHA1
bb17739b1207949715aeec576a8693a965e05fb0

SHA256
68540e8295a3e40926d42679ab70bd01f6a6010df7eaf34974494b4c7a1f06f6

SHA512
c85159d4b2d8084da61f58b140772bb4646b6d28879b77447d244f8c2332d2f0ed88396cd00e4379328b0a32f1e39d49d2009c9c505a6719b97624716de73b68

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
479KB

MD5
0ba78f27f9a7f6820cd038192903da5e

SHA1
332b929385482a3f7264a3c0b6eab60e0076f9dc

SHA256
d174ad006224faa53f6043a6ea1e91a21693ad634e94525916bf62883569f7bd

SHA512
036e8c7244a2e78b444a2f074fe909f67dd9d20ce9a3c2c02c338d57eab61b45252f4d4e226c9c39510def09f46ed325e08f657b5732941938b2cede8848f5a3

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
479KB

MD5
e59cf168586005463dd8e7612bace386

SHA1
ffe80c7dfde7211e2e551154f3b7c156dc49a39b

SHA256
4380b29378ba1a5f6b73e373f8f517d5e372936aba3576cb933501721e1e68bf

SHA512
77cf5e8dc5b5d43e6e91441d084002f887de5ea0899fdd83ab41d03d2e1853a5c6a733dffb0a9b7f6a03d7b96995d15ed2132f26fa73278ae302f8b0c90d0f16

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
479KB

MD5
4c2c9b437eeb9e35362cd67ce5b9d538

SHA1
082a8a6fa59b2e95e64f0946bf44041dffef3f21

SHA256
d45401c5b04760517044cd8c4dbdb8da3e372ca8f85975012e4cda4684a179f4

SHA512
88d17cb7055db8aec3bdf360a722ea775775fa971cfa6bad3b4749fb37b9bee4a38c303320e208bfab0edab0eddb3e9e779d1d9ecaa1312e88f19816a49417ba

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
479KB

MD5
1aafbafc887bc150c1e1b3fafb28279b

SHA1
524b468fe1647d71d12b7e79f27bcd9b97db1b8a

SHA256
5796cd5c9f25b9ac364a49eca22cdbfa64377200734195c6820b4a08b8ee4fdf

SHA512
5dbeaae53687f40a58f1782155416b100f1b028e8388a669fbd151726e6b1c8eab1b168c1ec8797ea2b7c5578cbd47517b0dd88cdfdf672d685984e3f77ef08a

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
479KB

MD5
57928c6db6f344fb5070803cc56262a0

SHA1
0846cb7af82ccb6aa60211c343b47446dc485c4d

SHA256
2a5b603394b766a5454e7bc05559343882d74bcb881b29f8ebdd1e97d96a4a40

SHA512
07f67a7aec6764036691cfd220f36d26b4b944f7955d4b9c620917e6fb0a3d208124e6f8704349fcd72320d0e3902731b3d8cc3bc6a09dc3dc32f367c16f3c7d

Download Submit
C:\Windows\SysWOW64\Haidklda.exe

Filesize
479KB

MD5
48064844244632d970d90fec120d81e2

SHA1
673365160a467260d80f30a2d21091f071fa2210

SHA256
0c0fe57ec34e53e7ff2b1023b072ba0115e3beb5797011da81f61c6dcde16230

SHA512
a97bb32c3e82aef7a57577f19e318dee4bad66b34c8bb0869bce4dde8e01cc8fb965dd71408286fe9df4f2dfde877474741d1441a5212b810d3f74b1d9270974

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
479KB

MD5
cf3b593e394191188b6a2e9ddbf78070

SHA1
2acc1c7538e27a4a13159a870c4204908fb6f3ec

SHA256
307bb64dbb3c6389173ff860d5e665fe02e54cb3a5c3fefd072a9adc2959b1f0

SHA512
16c6a14be9410c640a5738dad103773fa44fa39d7b4a3123e36f27a42f86b81fc3fad79e29fc3aa261a50262ed238d293005ceaa80f07477866b6fc93955f0ef

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
479KB

MD5
1c0b7e4c97110373672b56b02e176363

SHA1
84f4dec3ed07dc2532f8afa23ec71c7177938cb8

SHA256
6fa7554e6064d1e2785da34576230b72ce96dd36b527bbcdd7e2ab8873c1a5c7

SHA512
e6a97d128eb3326c6e92c7cfc66f87a1ce879cfb07d5cd35268f01144532bc37da4f8db1ff56ee941161842a03302f0ab97165f3e99dff43b93a4edcbecb0a05

Download Submit
C:\Windows\SysWOW64\Jdcpcf32.exe

Filesize
479KB

MD5
c4a1b124b9917dba3addb8fd23078b00

SHA1
9fafa1e925ced588afe6a92bbf386aaba9b796f8

SHA256
c6e6de861f1b942d21f984a1b21ea774ecdd1a002e08b9c326d49533a5da04f1

SHA512
3fbed2d5ac180cccaf12ed1d32b5d6128f073c4371d393a9746ccec5ce931575bacdf19ba616446e4477e8c0b0b05efd452f8e32aaeba98ee905712b9cd67946

Download Submit
C:\Windows\SysWOW64\Jplmmfmi.exe

Filesize
479KB

MD5
ce6f81926517b70cf63321ad4ae17771

SHA1
dd1c7b0fe327983b932af2a3e438496dcdfa96e4

SHA256
d75d5d233d5d385202849a502ed95411aaa7b06acde6081d2da105ac74d4dc3c

SHA512
cc092c9c0396d5a30c46dac135e286f2cba3e01c16629975e34a8ba4b45f650db390c6ac546871d22b62b68f0d8db3483f405b671c51ac02e8915d6a056463d2

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
479KB

MD5
a02f8e4c26c7d297b623549de46e4cbc

SHA1
f04644467dd9366e0d2872c645ae6564a99832eb

SHA256
8b22e8c13fab03f3976b90ae434f0c61410210a8e493a2c07bbd710501359ec2

SHA512
4750205696daf5fed36016f1f838541029a289f04de6592d9d9cd1e7538408435e2c35f1cd65fb05862e0e3dbb16e6595b2bd4b56d2192a56c887f359246e003

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
479KB

MD5
567bc60373c5bf6cf10431fc172bf1fd

SHA1
cce0d9fcb0472edaa71b962db4ef15777d2a4425

SHA256
4961efd89b2f45fd92a0eb61b8fbce1dbe290364cdd539ce728f870fd5cb1263

SHA512
339c7c3260a699f5f272ba5e404a14a445c7e3188e85d867f58510f53c382d1f9d655f0b379752182b4969605368e76aa15bfc89ea59679870c84cc5f0086ba1

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
479KB

MD5
a5f2059797e38a6d66f514e452db7505

SHA1
4adaa5ee3c622bf24e5f28c5e1d7ce5ecb922a6b

SHA256
620a780f5c4eabfa93918863ffc852db9e26df6da1202160319b11769ef3741c

SHA512
b5f48ea04977cec793d2dac93195aec7cc64e3e152c669443ad9136404021f0be60ce03a29cb3794364a39ca7bb9d9b7281e8dfe55d8543a58cc60e066daae31

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
479KB

MD5
911ceffd7151ff44ce83450aad1a0496

SHA1
1d19a7250ce4a45d8f19d3703301546a518293d3

SHA256
414115ebe5d91ad36c266a82abfe0dce914a9cf08ebefe5033e84054afb24280

SHA512
ed955aa221991c7efd079b42ca28b49296105894bdd6ba310066d14f0473502ba315258c32209bc40b4a3daf9ccb16db2babdb0488e258371316c5cb30848d13

Download Submit
memory/116-48-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/116-580-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/448-73-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/448-599-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/740-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/740-0-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/740-540-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/748-151-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/840-325-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/844-378-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/872-431-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/960-519-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1020-164-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1384-472-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1392-81-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1392-605-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1412-402-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1420-264-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1440-354-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1536-507-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1560-557-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1656-246-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1672-367-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1680-198-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1864-443-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1944-455-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1956-396-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2012-644-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2012-128-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2212-95-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2212-618-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2256-111-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2256-634-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2352-136-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2356-223-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2424-306-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2532-238-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2680-17-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2680-554-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2740-419-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2772-625-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2772-104-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2776-207-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2788-495-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2828-413-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2844-290-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2948-612-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2948-1219-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3004-518-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3016-348-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3144-37-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3144-571-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3164-284-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3196-29-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3196-561-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3228-1083-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3228-534-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3608-266-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3628-573-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3628-40-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3680-182-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3692-191-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3800-597-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3800-65-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3832-272-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3864-461-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3872-388-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3948-9-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3948-553-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/3960-314-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4032-337-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4112-120-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4112-640-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4128-166-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4176-308-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4192-355-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4228-394-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4268-541-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4448-425-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4540-478-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4580-437-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4600-296-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4628-496-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4772-331-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4792-278-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4800-484-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4852-1141-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4852-361-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4916-219-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4920-175-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4952-57-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4952-586-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/4972-254-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5100-449-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5100-1111-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5236-574-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5328-587-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5440-1020-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5464-606-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5560-619-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5660-1050-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/5716-642-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads