ad81d9667bb3d282742c4647332bfd053cc032402aa186fc4f9bea67c8e596f8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad81d9667bb3d282742c4647332bfd053cc032402aa186fc4f9bea67c8e596f8.exe
Size

1.2MB
MD5

0063de02130d82f86673e5af69ad8d95
SHA1

8eebc36d5484e32da82daf478b1fdada922f1ff3
SHA256

ad81d9667bb3d282742c4647332bfd053cc032402aa186fc4f9bea67c8e596f8
SHA512

ba65e5559c4c9dc2804cee8216bae59a0351e9b19193365f6dd1cdd1f054e8b518adb910c6a4fbad018c6482fc2759aa21b2e31d02e46e765a2695f6a307d677
SSDEEP

24576:zQ7Al5hwq5hVW1nq5h3q5hL6X1q5h3q5h:s7AYt6

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcnejk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqohnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejegjh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Diihojkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfnnlffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphifcoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqdbiofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbeghene.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjbako32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elccfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gimjhafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfcgge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmmfmbhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbckbepg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjmoibog.exe

Executes dropped EXE 64 IoCs

pid	Process
3032	Cidncj32.exe
2460	Digkijmd.exe
3416	Diihojkb.exe
3984	Dhnepfpj.exe
744	Djnaji32.exe
4968	Dphifcoi.exe
544	Dpjflb32.exe
4100	Elagacbk.exe
2260	Ebnoikqb.exe
1856	Ejegjh32.exe
4296	Elccfc32.exe
1828	Eoapbo32.exe
1924	Eflhoigi.exe
2212	Ehjdldfl.exe
2484	Eodlho32.exe
2280	Efneehef.exe
4256	Ehlaaddj.exe
4776	Ecbenm32.exe
5048	Ejlmkgkl.exe
1256	Ehonfc32.exe
1264	Eqfeha32.exe
4192	Ecdbdl32.exe
2740	Ffbnph32.exe
1532	Fjnjqfij.exe
4580	Fmmfmbhn.exe
2264	Fokbim32.exe
864	Fbioei32.exe
1936	Fjqgff32.exe
932	Fmocba32.exe
3168	Fomonm32.exe
3192	Fbllkh32.exe
1692	Fjcclf32.exe
4312	Fqmlhpla.exe
4400	Fopldmcl.exe
3592	Fbnhphbp.exe
4104	Ffjdqg32.exe
4952	Fihqmb32.exe
3588	Fqohnp32.exe
4392	Fcnejk32.exe
2948	Fflaff32.exe
1344	Gcpapkgp.exe
3768	Gfnnlffc.exe
1664	Gimjhafg.exe
3152	Gqdbiofi.exe
3308	Gbenqg32.exe
5004	Giofnacd.exe
3808	Goiojk32.exe
1016	Gfcgge32.exe
3064	Gcggpj32.exe
4740	Gjapmdid.exe
2900	Hclakimb.exe
3600	Hapaemll.exe
2396	Hcnnaikp.exe
5108	Hfljmdjc.exe
572	Hmfbjnbp.exe
324	Hpenfjad.exe
3876	Hbckbepg.exe
4660	Hjjbcbqj.exe
3964	Hmioonpn.exe
2804	Hadkpm32.exe
2660	Hbeghene.exe
3464	Hjmoibog.exe
4956	Hmklen32.exe
4188	Hpihai32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gfnnlffc.exe	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Fjnjqfij.exe	Ffbnph32.exe
File created	C:\Windows\SysWOW64\Fcnejk32.exe	Fqohnp32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Ejegjh32.exe	Ebnoikqb.exe
File created	C:\Windows\SysWOW64\Elccfc32.exe	Ejegjh32.exe
File opened for modification	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ecbenm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Fbioei32.exe	Fokbim32.exe
File opened for modification	C:\Windows\SysWOW64\Jjbako32.exe	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Hmioonpn.exe
File created	C:\Windows\SysWOW64\Ifjfnb32.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Efneehef.exe	Eodlho32.exe
File created	C:\Windows\SysWOW64\Fjqgff32.exe	Fbioei32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjbcbqj.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Fphbondi.dll	Ejegjh32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Gfcgge32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Fmocba32.exe	Fjqgff32.exe
File opened for modification	C:\Windows\SysWOW64\Hapaemll.exe	Hclakimb.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Kmgdgjek.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Ncjcpe32.dll	ad81d9667bb3d282742c4647332bfd053cc032402aa186fc4f9bea67c8e596f8.exe
File opened for modification	C:\Windows\SysWOW64\Fokbim32.exe	Fmmfmbhn.exe
File opened for modification	C:\Windows\SysWOW64\Hjmoibog.exe	Hbeghene.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Genjanmh.dll	Diihojkb.exe
File opened for modification	C:\Windows\SysWOW64\Gcggpj32.exe	Gfcgge32.exe
File created	C:\Windows\SysWOW64\Ijdeiaio.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Djnaji32.exe	Dhnepfpj.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Ibagcc32.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Dpjflb32.exe	Dphifcoi.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Bobgoedj.dll	Dpjflb32.exe
File created	C:\Windows\SysWOW64\Jangmibi.exe	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kdopod32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fjcclf32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Hclakimb.exe	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7048	6952	WerFault.exe	246

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elccfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmmfmbhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeahce32.dll"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdhine32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmgdgjek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fflaff32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fihqmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehjdldfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdopod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idacmfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Efneehef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcomh32.dll"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofddb32.dll"	Fbnhphbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogedoeae.dll"	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jmkdlkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmocba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmfbjnbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqnnk32.dll"	Iikopmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jdmcidam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdghlnlo.dll"	Ebnoikqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 3032	3532	ad81d9667bb3d282742c4647332bfd053cc032402aa186fc4f9bea67c8e596f8.exe	82
PID 3532 wrote to memory of 3032	3532	ad81d9667bb3d282742c4647332bfd053cc032402aa186fc4f9bea67c8e596f8.exe	82
PID 3532 wrote to memory of 3032	3532	ad81d9667bb3d282742c4647332bfd053cc032402aa186fc4f9bea67c8e596f8.exe	82
PID 3032 wrote to memory of 2460	3032	Cidncj32.exe	83
PID 3032 wrote to memory of 2460	3032	Cidncj32.exe	83
PID 3032 wrote to memory of 2460	3032	Cidncj32.exe	83
PID 2460 wrote to memory of 3416	2460	Digkijmd.exe	84
PID 2460 wrote to memory of 3416	2460	Digkijmd.exe	84
PID 2460 wrote to memory of 3416	2460	Digkijmd.exe	84
PID 3416 wrote to memory of 3984	3416	Diihojkb.exe	85
PID 3416 wrote to memory of 3984	3416	Diihojkb.exe	85
PID 3416 wrote to memory of 3984	3416	Diihojkb.exe	85
PID 3984 wrote to memory of 744	3984	Dhnepfpj.exe	86
PID 3984 wrote to memory of 744	3984	Dhnepfpj.exe	86
PID 3984 wrote to memory of 744	3984	Dhnepfpj.exe	86
PID 744 wrote to memory of 4968	744	Djnaji32.exe	88
PID 744 wrote to memory of 4968	744	Djnaji32.exe	88
PID 744 wrote to memory of 4968	744	Djnaji32.exe	88
PID 4968 wrote to memory of 544	4968	Dphifcoi.exe	89
PID 4968 wrote to memory of 544	4968	Dphifcoi.exe	89
PID 4968 wrote to memory of 544	4968	Dphifcoi.exe	89
PID 544 wrote to memory of 4100	544	Dpjflb32.exe	90
PID 544 wrote to memory of 4100	544	Dpjflb32.exe	90
PID 544 wrote to memory of 4100	544	Dpjflb32.exe	90
PID 4100 wrote to memory of 2260	4100	Elagacbk.exe	91
PID 4100 wrote to memory of 2260	4100	Elagacbk.exe	91
PID 4100 wrote to memory of 2260	4100	Elagacbk.exe	91
PID 2260 wrote to memory of 1856	2260	Ebnoikqb.exe	92
PID 2260 wrote to memory of 1856	2260	Ebnoikqb.exe	92
PID 2260 wrote to memory of 1856	2260	Ebnoikqb.exe	92
PID 1856 wrote to memory of 4296	1856	Ejegjh32.exe	93
PID 1856 wrote to memory of 4296	1856	Ejegjh32.exe	93
PID 1856 wrote to memory of 4296	1856	Ejegjh32.exe	93
PID 4296 wrote to memory of 1828	4296	Elccfc32.exe	94
PID 4296 wrote to memory of 1828	4296	Elccfc32.exe	94
PID 4296 wrote to memory of 1828	4296	Elccfc32.exe	94
PID 1828 wrote to memory of 1924	1828	Eoapbo32.exe	95
PID 1828 wrote to memory of 1924	1828	Eoapbo32.exe	95
PID 1828 wrote to memory of 1924	1828	Eoapbo32.exe	95
PID 1924 wrote to memory of 2212	1924	Eflhoigi.exe	96
PID 1924 wrote to memory of 2212	1924	Eflhoigi.exe	96
PID 1924 wrote to memory of 2212	1924	Eflhoigi.exe	96
PID 2212 wrote to memory of 2484	2212	Ehjdldfl.exe	97
PID 2212 wrote to memory of 2484	2212	Ehjdldfl.exe	97
PID 2212 wrote to memory of 2484	2212	Ehjdldfl.exe	97
PID 2484 wrote to memory of 2280	2484	Eodlho32.exe	98
PID 2484 wrote to memory of 2280	2484	Eodlho32.exe	98
PID 2484 wrote to memory of 2280	2484	Eodlho32.exe	98
PID 2280 wrote to memory of 4256	2280	Efneehef.exe	99
PID 2280 wrote to memory of 4256	2280	Efneehef.exe	99
PID 2280 wrote to memory of 4256	2280	Efneehef.exe	99
PID 4256 wrote to memory of 4776	4256	Ehlaaddj.exe	100
PID 4256 wrote to memory of 4776	4256	Ehlaaddj.exe	100
PID 4256 wrote to memory of 4776	4256	Ehlaaddj.exe	100
PID 4776 wrote to memory of 5048	4776	Ecbenm32.exe	101
PID 4776 wrote to memory of 5048	4776	Ecbenm32.exe	101
PID 4776 wrote to memory of 5048	4776	Ecbenm32.exe	101
PID 5048 wrote to memory of 1256	5048	Ejlmkgkl.exe	102
PID 5048 wrote to memory of 1256	5048	Ejlmkgkl.exe	102
PID 5048 wrote to memory of 1256	5048	Ejlmkgkl.exe	102
PID 1256 wrote to memory of 1264	1256	Ehonfc32.exe	103
PID 1256 wrote to memory of 1264	1256	Ehonfc32.exe	103
PID 1256 wrote to memory of 1264	1256	Ehonfc32.exe	103
PID 1264 wrote to memory of 4192	1264	Eqfeha32.exe	104

C:\Users\Admin\AppData\Local\Temp\ad81d9667bb3d282742c4647332bfd053cc032402aa186fc4f9bea67c8e596f8.exe
"C:\Users\Admin\AppData\Local\Temp\ad81d9667bb3d282742c4647332bfd053cc032402aa186fc4f9bea67c8e596f8.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\SysWOW64\Cidncj32.exe
  C:\Windows\system32\Cidncj32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\Digkijmd.exe
    C:\Windows\system32\Digkijmd.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\SysWOW64\Diihojkb.exe
      C:\Windows\system32\Diihojkb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3416
    - - C:\Windows\SysWOW64\Dhnepfpj.exe
        
        C:\Windows\system32\Dhnepfpj.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3984
      - C:\Windows\SysWOW64\Djnaji32.exe
        
        C:\Windows\system32\Djnaji32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Elagacbk.exe
        
        C:\Windows\system32\Elagacbk.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Ebnoikqb.exe
        
        C:\Windows\system32\Ebnoikqb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Ehjdldfl.exe
        
        C:\Windows\system32\Ehjdldfl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2264
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        31⤵
        Executes dropped EXE
        
        PID:3168
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        32⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        34⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4400
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1664
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3152
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        46⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        47⤵
        Executes dropped EXE
        
        PID:5004
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        50⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5108
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        56⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        59⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3964
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        61⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        64⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4188
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        66⤵
        Drops file in System32 directory
        
        PID:880
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        67⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        68⤵
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        69⤵
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        70⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1284
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2092
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        75⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3820
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4888
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        79⤵
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        80⤵
        Modifies registry class
        
        PID:112
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        81⤵
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        83⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        84⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        85⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        86⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4568
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        89⤵
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        90⤵
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        91⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5176
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        95⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        96⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        98⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5480
        
        C:\Windows\SysWOW64\Kmgdgjek.exe
        
        C:\Windows\system32\Kmgdgjek.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5560
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        102⤵
        Drops file in System32 directory
        
        PID:5604
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5644
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        104⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        105⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        106⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        107⤵
        Modifies registry class
        
        PID:5800
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        108⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        110⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        111⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        112⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6120
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        116⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5504
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        119⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5748
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        122⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        123⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        124⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        125⤵
        Drops file in System32 directory
        
        PID:5152
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        126⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        127⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        128⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5760
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        130⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        131⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        132⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        133⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        134⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6032
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        137⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        138⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        139⤵
        Modifies registry class
        
        PID:5904
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        140⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        141⤵
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        142⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        144⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        145⤵
        Drops file in System32 directory
        
        PID:6352
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        146⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6408
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        147⤵
        Modifies registry class
        
        PID:6440
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        148⤵
        Modifies registry class
        
        PID:6484
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        149⤵
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6592
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6684
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6732
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        154⤵
        Modifies registry class
        
        PID:6776
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        155⤵
        Modifies registry class
        
        PID:6812
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        156⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6904
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        158⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6952 -s 408
        159⤵
        Program crash
        
        PID:7048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6952 -ip 6952
1⤵
PID:7016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cidncj32.exe

Filesize
1.2MB

MD5
58edadfa0077a09adf67869cb4ee2c08

SHA1
69428c64ef28f5227e5f37353595dfb79baf5c72

SHA256
071ac9d27842cb243870121af387213e01e4a2cb2ab248c959bedd0d392fdd78

SHA512
fb3f1d7153056c548ac397495b3e1ecd7adc613085ef4e77b68d607e7b2b09cc3f0d69ee529e0bcf966433543728068cddeb1250b5968723e4c0eadad2c9021c

Download Submit
C:\Windows\SysWOW64\Dhnepfpj.exe

Filesize
1.2MB

MD5
419ccaefc3301afcc04e23bdc652087f

SHA1
6cfc802c2d94c9b65b0b0052045e4d0c2a26a23d

SHA256
07dc320606375197a4a01d1a4b72ecf995e9383a85001436a58f20ca80a46f1a

SHA512
182c42120d9fd771ee53251ea7ef5de0e49bfe57271b5821cc37355ba2a33414c320c4a4066468ac3672dfe0784b6eb61ac287ddd5733d093210b700d4b07fb6

Download Submit
C:\Windows\SysWOW64\Digkijmd.exe

Filesize
1.2MB

MD5
25d6088b39bc693b0da5f25fd531691c

SHA1
2b875e141ae394f13573a0d45f9d34d4fb2e4899

SHA256
0fbd21cb4722946c15da2eb11f02d08a3c34a4e464b874f1e4203577939a5afd

SHA512
d1540ce7673ad8c17ac3eafc86272a320fe1a6203a6e1d8f6b5d37fafb5764bc91d9b37bd395c7a9863e245c46b067d03587fcff0a78030ffb9487fe3089ca6c

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
1.2MB

MD5
a3336b77414c8fa9bd36d30c68cae2e1

SHA1
7a1aaa22a31e683acab38a17ce4b6e5a65cd8232

SHA256
61a10d951d7eb20e649f661c54e4b162ff9b8c3d4698d0545e491937b327f09f

SHA512
8ce5e68e6e5e1dc8c566897c8c1f9db50d589a9bc38eca64f340cfdda374c62bcdf7ba8a347809f68f527d24d9d5bfcf5836b73f5fc30d73924c6851732b368a

Download Submit
C:\Windows\SysWOW64\Djnaji32.exe

Filesize
1.2MB

MD5
067a07b1becab7d1dc838941e87f0f30

SHA1
27e6cf90cb1bf5e2c81895e5ce0f6ba4a80f6074

SHA256
d1543b4088d4707d79ddc4b7a4c1debeb2d4c76ce77fcc09fe1fdb8145c3620d

SHA512
0a53f96c42bdbc2263dfe0768fa12247c71eb23296e40b8ea0cacc53c0e4fe949993e9608d0d16f487e4f31e89a409c83595777fcdf12075052986d01ef954fc

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
1.2MB

MD5
12f7150f657f75462033e20d7087a53a

SHA1
0271f5c045982d235624bf89fa2e758f5fe77236

SHA256
8afa302af3e13d63412f9f3aa96c8136abce08502854fa5174d2e08ad4ea9d6c

SHA512
c0ffd717fdcf8c6e75d06ad11781598c48a7e5a0ce3479f266cface4ac049d6ad82fa2d82c0a405fae3ed170e9d7d4091f6761ee34b84050d349367c15f87a96

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
1.2MB

MD5
7cf40a2e8e8b486d3796cbdca9517f32

SHA1
29a7861bf2a0d0924119113e11db0c830a178075

SHA256
6f4fd92b69ec4a6a96a25b7fef12bd5ae2f404486325812d5cf17884f19b03dd

SHA512
7f748ee45e0f34defb3185e289c4a83a6c22541ee0f6e8a0ab85134aada6d2b2adb8889e67a4dbbd7c7211d60aad804cc578b22f6d0e18335c476a46f8eae371

Download Submit
C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
1.2MB

MD5
7ff4d301f014e44338ec89b5bcfb1710

SHA1
afabe15ceeb699665f84fdfe68688f6074d8bf4f

SHA256
04c7fc6d2367cc9cc98ddb23b817e4e0fd4a7d3a12f17c25e25255cd1a21edf7

SHA512
b9ae9985a3e0583617fec2c4ed93dd449ac378e8041712984e4447646e27e9a642e64ac72bd4fd2face9a2e6813a26df4e04208f3741c5cfb4174dd5201ea55b

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
1.2MB

MD5
3c9d79347efb5b8db0d070de7ac48460

SHA1
2f02fde7aae969816e5d42616661e41c6c9ab486

SHA256
f410cc242ab816fc48430bd76e6bc8ba99540f3f59a329d2a165d786b877cd48

SHA512
9bb36e692cd30e7178b228f088c59982b719d71204dec77db36db02099e993638ef9e189fc4a17976a17610c35744e96f78e20d572a8f42a331942612809e8c6

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
1.2MB

MD5
e269b4a562b0558a5dc995d69c6cccfc

SHA1
2909a5be8d4ef65233ccf5c834ca1f2e5300b07d

SHA256
6ef4e26e13a1c10252e8eb9a0852cd11530666ebe62e3ce7bbd1bb39933d4e3f

SHA512
6bd1e542fea9b066cacc024a60fbe052f999b6e115b145be2e39a0f7a72c9dbf870e25143f8981ccbd6114b9ea0e9113d2790b44124e7745da17bc4c28a86542

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
1.2MB

MD5
5abc65f70baaf9ad8be08ff5c5367e2b

SHA1
0a974c19c080c7ae0fb5be145cb1bbeb84691418

SHA256
5d464adedcd9bf86cda9b928106f51308141e58d31c59698bee81292ddb440e1

SHA512
2a28f4f7ef9f5f5671a774559a87aacfea524ac99a390dd3f3ded8514c4d9c16b4991e63444d3607dbea79d9a11ffd25e50c88725d5ea2e5507a531d1846bb2e

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
1.2MB

MD5
44d8199131a925f28847adc06f0ef34b

SHA1
03b1f77996920524195401054db4722fbf0b47af

SHA256
2d69abd496593cce0bb9a071efe94e192e5ea41657c1b15d078927238447a6b9

SHA512
61715aec20f144de5a5618344669858da114cc04fe2bc108c4d660c009aa8b55ce2ad907dba893e377ac72944e2d1bb43f8103148b6641620f8c9859366dd824

Download Submit
C:\Windows\SysWOW64\Ehjdldfl.exe

Filesize
1.2MB

MD5
8afa6f580000b53d8c21220d71c70890

SHA1
05e1b806a48dab6fd301ae0a9e379c8a3f160a5c

SHA256
698702ee583a5f7824ca428fcd22f55a1c3b0af703eec52f915bea8178d299a4

SHA512
9ca11624b764272ea216bfa99cb36871902ca7e08ab6f30fd2b2b14bc9eeac14d132d493fff54499b3bb0885825fd01f1e86218a30ef672708dc14a795cddcae

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
1.2MB

MD5
ad9d82758fb4de0bd204d8616b64a88d

SHA1
c639925a01fe6fc88d9da36649efb7efb5f5b3a3

SHA256
7c146b8c98963a039531f71a58a7df9af2ee586379abe319462acd86890b257f

SHA512
6aa959a39aa3d4e1e74c5887248b792397f510376c6b865806591c5b1b7d56263d8df6cc195cda87126b93b0e5ba76ef3ca63d16284e6178f43051a8230cc76f

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
1.2MB

MD5
6c675b49779fca7030baad8e218805b0

SHA1
9cc312813a15e553bfe28d79e2fa50ee1f3b7b1e

SHA256
0aba22c17665d3535c2847dd110051e5e9717c777d2363dfb8a851a11fe2d77b

SHA512
acdf7b3292722875f387a4951b74f746c7e65da50f601650a57a00f65d81b7c304b2a72164b6ab1e11517eb1ffaa8f1eeebaa255a9719f8a181d929d3f28a539

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
1.2MB

MD5
f494109f41521c15929726d8f7ffc498

SHA1
02bae9a6958b457c1bec0ad7321b4b4c90fc3a05

SHA256
b1e77d5c6bc43309f00a7f25f4973888bfa10433c8bbc0c31259a5ce3535e886

SHA512
c016f5a20469dbc3a9119d09bf419a314883c319a48bee3bcd7cc0a9e874d0ca23312de68737af4ee7d0179b775a121cffe95eb2f074ca343a6932242499461c

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
1.2MB

MD5
0d8e4de408c3bd02ed014877c968eadd

SHA1
61584c510bdf53b7d75caf3bc355a672bff87d5b

SHA256
51bc01063548846ed65a57a56d45fbe5351a15a89039c1e5c17a44c1798cb177

SHA512
c71b6670546400ed8354f03f3751aa72d622747a4722b8adbb7cc000c686e4620944bd1a16b9f201702bb7ab707a00ec63ea6765ccde171f7b094fb2daf010b8

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
1.2MB

MD5
f6e2f3f9c77081e42149bfb353b2c875

SHA1
e3a7689e17adf3b49eeff42ad6fac282f89b3975

SHA256
ed355a18e4bdf2aeb6182c36198e37b90616e58702c6e5d3780601cb55f2f532

SHA512
df08b749ed1fb8ba8149eb83c26c48bcb72d487835b3f21ccaabe37722cfee0a8abedd18ce70ad893a9747dcc18adfc87c682b76ae24b2c57d6aa0b9b44c8389

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
1.2MB

MD5
97716e7cfde0e99824f109389f30463a

SHA1
a9755736ce603d20be2c20392792ac9ab90e3117

SHA256
fa32d2562abb9e9f74e7f2090ca31d195a76b43ba811ffa721f680f8dd85351f

SHA512
2bae641a3c0cacbf6bbc43bb802eee4f6e4a2ee2e36b9dd05b27a5c492f058a298ef4ba6004f97490006c37387737bce2d7fb822515db6596a0f2ef8abf4ea1e

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
1.2MB

MD5
fd4ca23b5787265e5515491dbe82d433

SHA1
6cd07008a0339ca923093449e927f00c4a41c550

SHA256
043fac719ff299781c1d3e5961f0a9f801dbed6d17ae8792aaab9461255a6f3c

SHA512
a394320c40f88416aec5e4e2da4684a79eeb58fa34209bdb12ed6d38b56be23909f6516d1ef4a3891ae45be4ad931b70eda0f6ad834864010d0ff7891f533f9f

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
1.2MB

MD5
4c89ac97c8c019f7d6fb618d70bb5a5b

SHA1
be53edae7b6391ba2965fa83fc8132b7486235a2

SHA256
ed0a88a15c8320d65c51032ed67571af6297cafc86b931ce8fa4d7ec30ba3adc

SHA512
0169038902b17eb3c61b7b13fcd617ad431b013911440c9eb727e3e04930f6d12868256bece93131088d32c777390451dd05c71e8fd9110c41a2647dcd44a596

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
1.2MB

MD5
047ae59f323c3503dbd324620ea8d66d

SHA1
6d42bafc20a483028926e988d230d09b90365b31

SHA256
d30433cae3ebf7f6a2b14b25a2bcd012e30ed3103a5af01ad2b7ecf9aa38c431

SHA512
73cad8a30bbff6dca3fb418ac77359f6e01d60b460cf5e40399ad3c4243cfeae4a1f1f70ce0ab067ea57b9668cdc9f529702b0b33551152e512ee2a17f9d0715

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
1.2MB

MD5
854d26eed7bbd853c2f1d83002c6da1d

SHA1
56981df4123edbab313c8dfa9ca62b087ffc482d

SHA256
c60b7ca97ea486b328cfef78bb49a3baf265b9278892671dc7d6c2d0c65a067e

SHA512
bc61dcc55dacfe9042ad4cd0a0cfdb3bd35bc20688fd8e7a497de6641b5ab14ed1f5e523028519c68eca1f4a8aae43ad084310c9772331cca24636d5a6c042cd

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
1.2MB

MD5
c908b53e65014088c3d89505c49394f5

SHA1
95b1eb5d9174449913087c8114c768bf3d9ed1ce

SHA256
f6f533ab027bf7b56ebb4d403f79ace206615cbf2a07a94455acb2e2432f0fba

SHA512
e6673d392420a53e16101eee10b810ca127d28de216fb1231be893ae601467125376903b3d1a3bb27b0a66483a54dbe4ea95b742eafc600829ae45a5bc738bad

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
1.2MB

MD5
766c485e729ecf96dea62bf139bebd85

SHA1
f4834a72f7ca5e9311e4521c3f3413a5f0e4a657

SHA256
d1bdfcdf804d5b910c51558726fd1c27b1a01689b250b513f8a6af375cb421d1

SHA512
7b746ee0b74eb876cf7b757b47761be0c888e285a1bedcb0fb3e65c579cb286c91b93bca12848893ac3066f1e007c2d430ccf68a1d2897bdd17b9b190f917386

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
1.2MB

MD5
bf0f8a9f0da7fcd1f41c1f7c0b8e1399

SHA1
976f3c79f1f5a5c3dd7819d2ec5fed95e31ca10d

SHA256
b939518bd6d22ee8c986dc43eaa446f4ef2ed4a079efa3399830eeebffc6a0e5

SHA512
c5df2dc2069f506f58f4ead372187d2cd63814539877ad176c709cbddc2e6ee98c64c4d1e32b9337efdbf8d0bdfcba53315077c8324690821ae6d6988e04d898

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
1.2MB

MD5
f12d5ae834506a418cadd8bc55c20941

SHA1
b31c8407bd2814758cde9b839da700aa9fe67d49

SHA256
a26b91bf7bb623128149bfaf22f3cf369fc00e8ff56d1782a688167381f018d2

SHA512
3e76d3295bbb3d08fca200ea776ec6e822c02dff18a4df3ad62684ba0f4a5037cbe3ce668f0aeb63414c0c126e38fa50f18c1c2a5e8e1cf4f0c9c860fa6d321d

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
1.2MB

MD5
5000d20ae9f57a9a831eb7361416f442

SHA1
628af3f8daf389c0679579f4bfc53e0e81906c71

SHA256
8c786db8c3bede8a18a45110f505fe6981814f1e3aa7e836f1c12d8f6a1e1c1c

SHA512
33574d05cf3497c196e43e75f669e4fabcc417f02fa3367e794222cbc3e6ab09c8988faaf62bc561dd64e050b21a68ce5b533b0e3b6ab0daa3930af205f79a66

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
1.2MB

MD5
75bcf654c0dea70c365a21fdac08da14

SHA1
0fcb03a9b71605e372319ba4dd0ef878d33ef556

SHA256
7417cc593c39488e140736569f2f0fe74ea3482207374b9b25b959b605031cc5

SHA512
865e4bbd33ed8fd888ff7a2496e33d4dae52ea790349293b6bc8cab557250fc9f5a66dd6ca19efb85b2a636ca09d3a71ebc58f6db850d3d89af7388561e78bb7

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
1.2MB

MD5
29e3eb35187377d83c07234b281ad7f2

SHA1
9f20b2f1d9d06f84d5075ad37030bf474f86a64b

SHA256
170e4bb1379723967962c68a7d5c035e6366de2ed0195c7392f0f075d034c2f0

SHA512
4bcd047ba25c154851e07e1da2d5b174e1e33285f94f4ec9ba0372c742be4b09abe552ebb49e174a9a6c21f5003ed541131ce3932cbbb0dd99ecaa9861dc155d

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
1.2MB

MD5
b19599355de1dafadffbf9eb606d8de8

SHA1
bd4b9138c1c6cff2ecce3d0ad980f8af37eb5830

SHA256
2ead7733f6c0fda4b2ddeee241a90b19adafbfa1e26640bcd886f5f7549c132b

SHA512
6fa1e5d0767413257727e242c931f6e83b589907e2aa405f6d97cee82b9fc915938a27ba635d6bf14162feee7a61a86be897cda449d95afd6f4a457f6cec86dd

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
1.2MB

MD5
b523e12f44f3b063ebbf7c225de11045

SHA1
109b67327452f1e5311d610e618e21a4bfa3274e

SHA256
05b47374724df7cf2ced71385c146151da85c416713edcd23b77d7f2ba9dac09

SHA512
3738e6cbd4c157f28eec751d1f6f5ba6b8fd7f63c19b43be3c11c2e61b0e4a28472d6d499f4ee504ba8431aef00e6e015208cce836a987077f75e8b5372887af

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
1.2MB

MD5
b3004115dd404527e2ca865d7391cf4d

SHA1
9f30219555dc384f1672c3a4fe1336fbbfd0ee6a

SHA256
b391b96b53ea8bdff1d61465279c45530d28fba9af0494f7c4d8a16e79bf516d

SHA512
6a45a97a820cda95cbafd84de2c593d0515f6283974d98cef6738a5b07b8f08b1d89139b78e6dd791ef325a1971083ba9a704075a49a7d0b518d6ae1eefb00a9

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
1.2MB

MD5
5cfa59c2d78b5f3e2b8153a9bef2de38

SHA1
ce00a8bb7c4443634bda0b48789a378eb1308148

SHA256
8b5304939eb94a2b555f574e381cc56062937f3e77700b04bb0ebf0f0bf9b5f2

SHA512
a434309560cb31447488331e0a7d64712cf285856629290faf4e66f9089d77001bd6a3601ddc80e99d864cc2459d5942f22be2e9f2afebaa4babfa9fd4144bcc

Download Submit
C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
1.2MB

MD5
b0f1d36c9f9755a3a8b3910d7ddc14c3

SHA1
4e773ba704162394f5a7c46549e4091c9cade69a

SHA256
ee7159ed3eb1ac79c5f764cbe10b183bcf2615c3a66345b18641286e9e451ec2

SHA512
800984893480d9d08ee56ce3e83931d1c1b4b514054ad967c23a5c732d2b8c7a905e1935c73ee47655199ee867ba0aa97bfd23d20e3b4f9d106effbc5c12bda5

Download Submit
C:\Windows\SysWOW64\Iikopmkd.exe

Filesize
1.2MB

MD5
fe3e2381936918c570b368dc6c1ef0c0

SHA1
9c72b0920922a42c6229d1d61744b027fbd42c82

SHA256
349bb47a474d4325d468905a32e61e2846fc4088c5427a6b13c601540fc79ff0

SHA512
148a16ab0f14a221573f7456c6d7ec2df50d13013183df03b9102ec95b310629337401efb88400d2035529b5a80e6ecc2dc6e830c0a979805871e395decab0a4

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
1.2MB

MD5
00a57c08237e3a91daed6e98f2abaeab

SHA1
043ede84343d63795d4362c012a86f59864bb9f9

SHA256
1fbf739b5cc174d6e92d3c60fcecc215daf181720f958b660097e64ac1ebebef

SHA512
117c310ef9908d824a608c3c9b2c0ff6396d1aa160947d99c7e20acb5008b2c4eb606def2c04283d6491102abc190cc6591ab3599fb13cf1ab809d95411c1e33

Download Submit
C:\Windows\SysWOW64\Jaedgjjd.exe

Filesize
1.2MB

MD5
d03761121d8fe39d0bd1aa24223a3c63

SHA1
bcd9316ad0f7d657b078fee91ec12c223ef2ac86

SHA256
62e5d68d470a21c376b6278cda3200b1684d31068d1ce776c47814cc97881985

SHA512
7e279d1e05efa8dfeccf2485ac588655f574a987125da3b1b1bc9ed31489515403f787188a0e6810426ff544543839a5929050298578f103bf8471b27e09611c

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
1.2MB

MD5
357d46deae7efdbae0d7e99d175cd5c5

SHA1
58bc323aefd74c66ccbb82cb5002425675927969

SHA256
0026a27ec6dae6efff88e94cdddf101b52b2dcfc37dd55df40753a58b793134e

SHA512
de3a1cc63176fecfed59a7c1d5c5e45d6d488a305b507ae89298e85dbb0cc36fbf1234c086a9691990001f5b113c42ce4c0b6f07e5e94f096c25677f7da1858b

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
1.2MB

MD5
9134ac20cf5d73bff10ac530aea262d7

SHA1
47b44e268c04a2a218fe7c27e54f302c0cb0983b

SHA256
9f888d6cfb7c4a50530833f95c3eca655b359e23ddc1add1d9ba30b5f68db41f

SHA512
8082e586674fa35460835c3ce232fab4a5f736b558bb7d671659f5d11f968d4839310c3effcd5c420b9391748110535db2d94e0e7243ae0a0d3e58f413b0f8a9

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
1.2MB

MD5
ce669e61ad6472d17373a245eb8a959c

SHA1
52a9a98dbd18b5f56d4b7a34ae0da989a09c6eb1

SHA256
e7f6a95ea919d7d41804fcff795a65c6af626a9dcdb6d81e510879a391203ce9

SHA512
7481978129003d9298bb127b498b724cd6f130345743d69ed91e0b02c7c5dc48d462e81f29d756609d1cece6ff73e39f8fad76d74ae806fafe65a14579b95cb9

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
1.2MB

MD5
9ad3261d96b47298bc5c72b6a1f8f832

SHA1
0e984c6903a028f4aa86fdb6e230c2e5935dc203

SHA256
2f43929d25ea2e02b8b257fce0b58dce22c176901490078d114f327af7f34ca9

SHA512
01c7e779fcabe64726b026634edd655220607ee504f402933be507dc2b658160c60187474110d770fa973090390a7ddbb70af2e8b9ab89d166206b1128b56541

Download Submit
C:\Windows\SysWOW64\Kpepcedo.exe

Filesize
1.2MB

MD5
5a49df7f00b59ba9ca6b72e5f77688b5

SHA1
a0ecb30de958ad679c5a44f353c09ebece781639

SHA256
3178682b671e270ee41be71b3852d0b92712331e327c543e9d90f5601366f523

SHA512
e909e64c2b7008b35c34e36c19314f413a5a66befda5b80751269df5cc4a32192ea68c65f43bba4cd8dd6738030c2acc76b53d42608c548b365236c5649b5991

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
1.2MB

MD5
c4616984785ca20b7fc7c0e8ea77d502

SHA1
f58af9ba80c289c47e9dff87339098f937c0214c

SHA256
cc639f389ac469831ff7a4657dc9142d51fc454fa1aaf186e024b310f146969b

SHA512
c428aba4712f74eb5c1645a96ee126b6d5dd0b98e7a0e16c73bc010d30bf02f5b9068b95c90989485bc8b059fed8478e01be647fccbcdd4a58dc96c26079aeea

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
1.2MB

MD5
46603313cabab679d67a736a6ecd153b

SHA1
6ae558d74920db473191a52680296aef75f6132f

SHA256
57968c8df06c2fb6714c9665e930c808d429369d4e1323742cd0d6eb05182940

SHA512
cddd0ecc540206bebf6c95ee23429d533a6b7393aaec232bd20e62f9d2c99eced013fed2a40c22b67973b51efc223a4c90abe838e35a895ad5f95cd687bdaf10

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
1.2MB

MD5
d2af856d94e7e8811c96d49aa1b2ef48

SHA1
2155edeae213c8ecd112c55ac20262902895d2f7

SHA256
6538d14ebb120d994c7a0a078b3d211211e4a1d5e1921fff5cffe8eba71f2089

SHA512
787c7e86c29aa7fc8270ab060f84935a67aa05291b519226f8612318f36a62ee00bba2cf124b1bb8e8b06cdecaabcdaf2744e32a5338cf4cdce038eb9c512d9d

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
1.2MB

MD5
29d3d3908ac8fc5c9cf02bfbacac6e7d

SHA1
385c907a06412facb10b6cb6b484cd328c03be7b

SHA256
0c1f210dfc04c07fa95543aef40d260fe5dde4001111899ff33917811dde5a9b

SHA512
5cdbed446cd963b17080852128ac22bed8dce6e837d8f3b4eb745bbc6c116f107327c52635db261882366e65d148a48bd18d1faa21b54e5d88c96ef5b4532583

Download Submit
memory/112-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/932-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1036-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1532-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1536-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-555-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1828-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1856-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-563-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3152-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3168-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3532-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3588-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3808-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3820-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3984-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4188-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-603-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4296-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-582-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-588-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-593-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4888-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5136-605-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5176-611-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5216-617-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5276-627-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5316-629-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5724-1125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads