96adf81d74a49f68075f6d49e0fea9320e71320b642f4604c4c449ea5c1f71f2

Analysis

max time kernel
139s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96adf81d74a49f68075f6d49e0fea9320e71320b642f4604c4c449ea5c1f71f2.exe
Size

56KB
MD5

19c72b25779b311f6d85a6c6ba6694ef
SHA1

ebc41d82fff90eaa3b96ce3d610fb8b45eb7fb59
SHA256

96adf81d74a49f68075f6d49e0fea9320e71320b642f4604c4c449ea5c1f71f2
SHA512

8d8cff13fcdb21569b83ed338c873e66884629b399b7f8ee36063f437d42315b033f195fddbb4828bc2c8e28256fe7641a7e6f9006c20650960eac6c077c30f3
SSDEEP

1536:+aplDmrwOaBEW7dd289y+pICN8vXQZnrlz:vlyvS5b9yBCNUXQ51

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbenm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifhiib32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecmlcmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eofinnkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibeql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifopiajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gppekj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplmmfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe

Executes dropped EXE 64 IoCs

pid	Process
3400	Epopgbia.exe
2976	Ecmlcmhe.exe
2524	Eflhoigi.exe
4744	Ejgdpg32.exe
4236	Eleplc32.exe
4460	Eodlho32.exe
1724	Ebbidj32.exe
2904	Ehlaaddj.exe
3944	Eofinnkf.exe
4468	Ecbenm32.exe
2000	Ehonfc32.exe
464	Eoifcnid.exe
1772	Fbgbpihg.exe
3884	Fhajlc32.exe
3544	Fokbim32.exe
4480	Fbioei32.exe
4608	Ficgacna.exe
4732	Fbllkh32.exe
3584	Fjcclf32.exe
2972	Fqmlhpla.exe
4676	Fopldmcl.exe
5004	Ffjdqg32.exe
2032	Fihqmb32.exe
5012	Fobiilai.exe
2468	Fbqefhpm.exe
4340	Fjhmgeao.exe
3368	Fmficqpc.exe
2356	Fodeolof.exe
4332	Gbcakg32.exe
872	Gimjhafg.exe
3736	Gmhfhp32.exe
3468	Gcbnejem.exe
804	Gjlfbd32.exe
2712	Gmkbnp32.exe
4548	Goiojk32.exe
4876	Gbgkfg32.exe
4060	Gmmocpjk.exe
2728	Gcggpj32.exe
3780	Gfedle32.exe
1364	Gjapmdid.exe
244	Gqkhjn32.exe
4804	Gpnhekgl.exe
4556	Gcidfi32.exe
3208	Gjclbc32.exe
908	Gameonno.exe
3332	Gppekj32.exe
3296	Hfjmgdlf.exe
2640	Hmdedo32.exe
1632	Hpbaqj32.exe
2436	Hbanme32.exe
4444	Hfljmdjc.exe
3384	Hmfbjnbp.exe
4844	Hpenfjad.exe
4600	Hcqjfh32.exe
3108	Hfofbd32.exe
4872	Hjjbcbqj.exe
3936	Hmioonpn.exe
2988	Hccglh32.exe
2768	Hfachc32.exe
4180	Hippdo32.exe
4816	Hmklen32.exe
2760	Hpihai32.exe
3184	Hbhdmd32.exe
4948	Hfcpncdk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fdcfcpdf.dll	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Lbdfmi32.dll	Ffjdqg32.exe
File opened for modification	C:\Windows\SysWOW64\Goiojk32.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Jdemhe32.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Qbplof32.dll	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Hpbaqj32.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Hjobcj32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ppgjkamf.dll	Ehonfc32.exe
File created	C:\Windows\SysWOW64\Gmkbnp32.exe	Gjlfbd32.exe
File created	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Ifhiib32.exe	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Hbanme32.exe	Hpbaqj32.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jjmhppqd.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Ecmlcmhe.exe	Epopgbia.exe
File opened for modification	C:\Windows\SysWOW64\Hpenfjad.exe	Hmfbjnbp.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hibljoco.exe
File created	C:\Windows\SysWOW64\Ifopiajn.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Iinlemia.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Lpacnb32.dll	Gqkhjn32.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hfachc32.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Ibojncfj.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Qgenhgdd.dll	Fodeolof.exe
File created	C:\Windows\SysWOW64\Hfjmgdlf.exe	Gppekj32.exe
File created	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Mdemcacc.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lfhilofo.dll	Eodlho32.exe
File created	C:\Windows\SysWOW64\Gbgkfg32.exe	Goiojk32.exe
File created	C:\Windows\SysWOW64\Lpcioj32.dll	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Ibccic32.exe	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jibeql32.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Ecbenm32.exe	Eofinnkf.exe
File created	C:\Windows\SysWOW64\Gbcakg32.exe	Fodeolof.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6504	6928	WerFault.exe	274

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdcae32.dll"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpdme32.dll"	Hfjmgdlf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjmhppqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kkpnlm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	96adf81d74a49f68075f6d49e0fea9320e71320b642f4604c4c449ea5c1f71f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jjmhppqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kdcijcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebbidj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eodlho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll"	Ejgdpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfedle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekppcpp.dll"	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpnhekgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Iabgaklg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opocad32.dll"	Hibljoco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbjnidp.dll"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibimpp32.dll"	Jdhine32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddfpk32.dll"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qngfmkdl.dll"	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 3400	3556	96adf81d74a49f68075f6d49e0fea9320e71320b642f4604c4c449ea5c1f71f2.exe	82
PID 3556 wrote to memory of 3400	3556	96adf81d74a49f68075f6d49e0fea9320e71320b642f4604c4c449ea5c1f71f2.exe	82
PID 3556 wrote to memory of 3400	3556	96adf81d74a49f68075f6d49e0fea9320e71320b642f4604c4c449ea5c1f71f2.exe	82
PID 3400 wrote to memory of 2976	3400	Epopgbia.exe	83
PID 3400 wrote to memory of 2976	3400	Epopgbia.exe	83
PID 3400 wrote to memory of 2976	3400	Epopgbia.exe	83
PID 2976 wrote to memory of 2524	2976	Ecmlcmhe.exe	84
PID 2976 wrote to memory of 2524	2976	Ecmlcmhe.exe	84
PID 2976 wrote to memory of 2524	2976	Ecmlcmhe.exe	84
PID 2524 wrote to memory of 4744	2524	Eflhoigi.exe	85
PID 2524 wrote to memory of 4744	2524	Eflhoigi.exe	85
PID 2524 wrote to memory of 4744	2524	Eflhoigi.exe	85
PID 4744 wrote to memory of 4236	4744	Ejgdpg32.exe	86
PID 4744 wrote to memory of 4236	4744	Ejgdpg32.exe	86
PID 4744 wrote to memory of 4236	4744	Ejgdpg32.exe	86
PID 4236 wrote to memory of 4460	4236	Eleplc32.exe	87
PID 4236 wrote to memory of 4460	4236	Eleplc32.exe	87
PID 4236 wrote to memory of 4460	4236	Eleplc32.exe	87
PID 4460 wrote to memory of 1724	4460	Eodlho32.exe	88
PID 4460 wrote to memory of 1724	4460	Eodlho32.exe	88
PID 4460 wrote to memory of 1724	4460	Eodlho32.exe	88
PID 1724 wrote to memory of 2904	1724	Ebbidj32.exe	89
PID 1724 wrote to memory of 2904	1724	Ebbidj32.exe	89
PID 1724 wrote to memory of 2904	1724	Ebbidj32.exe	89
PID 2904 wrote to memory of 3944	2904	Ehlaaddj.exe	90
PID 2904 wrote to memory of 3944	2904	Ehlaaddj.exe	90
PID 2904 wrote to memory of 3944	2904	Ehlaaddj.exe	90
PID 3944 wrote to memory of 4468	3944	Eofinnkf.exe	91
PID 3944 wrote to memory of 4468	3944	Eofinnkf.exe	91
PID 3944 wrote to memory of 4468	3944	Eofinnkf.exe	91
PID 4468 wrote to memory of 2000	4468	Ecbenm32.exe	92
PID 4468 wrote to memory of 2000	4468	Ecbenm32.exe	92
PID 4468 wrote to memory of 2000	4468	Ecbenm32.exe	92
PID 2000 wrote to memory of 464	2000	Ehonfc32.exe	93
PID 2000 wrote to memory of 464	2000	Ehonfc32.exe	93
PID 2000 wrote to memory of 464	2000	Ehonfc32.exe	93
PID 464 wrote to memory of 1772	464	Eoifcnid.exe	94
PID 464 wrote to memory of 1772	464	Eoifcnid.exe	94
PID 464 wrote to memory of 1772	464	Eoifcnid.exe	94
PID 1772 wrote to memory of 3884	1772	Fbgbpihg.exe	96
PID 1772 wrote to memory of 3884	1772	Fbgbpihg.exe	96
PID 1772 wrote to memory of 3884	1772	Fbgbpihg.exe	96
PID 3884 wrote to memory of 3544	3884	Fhajlc32.exe	97
PID 3884 wrote to memory of 3544	3884	Fhajlc32.exe	97
PID 3884 wrote to memory of 3544	3884	Fhajlc32.exe	97
PID 3544 wrote to memory of 4480	3544	Fokbim32.exe	98
PID 3544 wrote to memory of 4480	3544	Fokbim32.exe	98
PID 3544 wrote to memory of 4480	3544	Fokbim32.exe	98
PID 4480 wrote to memory of 4608	4480	Fbioei32.exe	100
PID 4480 wrote to memory of 4608	4480	Fbioei32.exe	100
PID 4480 wrote to memory of 4608	4480	Fbioei32.exe	100
PID 4608 wrote to memory of 4732	4608	Ficgacna.exe	101
PID 4608 wrote to memory of 4732	4608	Ficgacna.exe	101
PID 4608 wrote to memory of 4732	4608	Ficgacna.exe	101
PID 4732 wrote to memory of 3584	4732	Fbllkh32.exe	102
PID 4732 wrote to memory of 3584	4732	Fbllkh32.exe	102
PID 4732 wrote to memory of 3584	4732	Fbllkh32.exe	102
PID 3584 wrote to memory of 2972	3584	Fjcclf32.exe	103
PID 3584 wrote to memory of 2972	3584	Fjcclf32.exe	103
PID 3584 wrote to memory of 2972	3584	Fjcclf32.exe	103
PID 2972 wrote to memory of 4676	2972	Fqmlhpla.exe	104
PID 2972 wrote to memory of 4676	2972	Fqmlhpla.exe	104
PID 2972 wrote to memory of 4676	2972	Fqmlhpla.exe	104
PID 4676 wrote to memory of 5004	4676	Fopldmcl.exe	105

C:\Users\Admin\AppData\Local\Temp\96adf81d74a49f68075f6d49e0fea9320e71320b642f4604c4c449ea5c1f71f2.exe
"C:\Users\Admin\AppData\Local\Temp\96adf81d74a49f68075f6d49e0fea9320e71320b642f4604c4c449ea5c1f71f2.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\SysWOW64\Epopgbia.exe
  C:\Windows\system32\Epopgbia.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\SysWOW64\Ecmlcmhe.exe
    C:\Windows\system32\Ecmlcmhe.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\Eflhoigi.exe
      C:\Windows\system32\Eflhoigi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        24⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        25⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        27⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        28⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2356
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        31⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        32⤵
        Executes dropped EXE
        
        PID:3736
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        33⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:804
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        37⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        38⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        39⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:244
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        46⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\Hfjmgdlf.exe
        
        C:\Windows\system32\Hfjmgdlf.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3296
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        51⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        52⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4844
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        55⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        57⤵
        Executes dropped EXE
        
        PID:4872
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        58⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        62⤵
        Executes dropped EXE
        
        PID:4816
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        63⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        65⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3564
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        67⤵
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        68⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        69⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        70⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        71⤵
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        72⤵
        
        PID:404
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        73⤵
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        75⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        76⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4400
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        78⤵
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        79⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        80⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        81⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        82⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        83⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        84⤵
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        85⤵
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3128
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3160
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4048
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        90⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        91⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Jjmhppqd.exe
        
        C:\Windows\system32\Jjmhppqd.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        93⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        94⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        95⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        97⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Jplmmfmi.exe
        
        C:\Windows\system32\Jplmmfmi.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5508
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        99⤵
        Modifies registry class
        
        PID:5560
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        100⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5672
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        102⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        103⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5808
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        105⤵
        Drops file in System32 directory
        
        PID:5856
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5900
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        108⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        109⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6064
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        111⤵
        Modifies registry class
        
        PID:6112
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        112⤵
        Modifies registry class
        
        PID:5128
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        113⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        114⤵
        Drops file in System32 directory
        
        PID:5300
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5424
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        117⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5648
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5736
        
        C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Kdcijcke.exe
        
        C:\Windows\system32\Kdcijcke.exe
        122⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        123⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        124⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        125⤵
        Modifies registry class
        
        PID:6108
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        126⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5324
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5408
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5976
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        132⤵
        Modifies registry class
        
        PID:5420
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        133⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        134⤵
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5268
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        136⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        137⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        139⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6152
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6196
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6240
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        142⤵
        Modifies registry class
        
        PID:6280
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6320
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6360
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        145⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        146⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        147⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        148⤵
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6584
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        150⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        151⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6672
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        152⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        153⤵
        Drops file in System32 directory
        
        PID:6764
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        154⤵
        Drops file in System32 directory
        
        PID:6808
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        155⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        156⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        157⤵
        Drops file in System32 directory
        
        PID:6944
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        159⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7080
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:7124
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        162⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        163⤵
        Modifies registry class
        
        PID:6180
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        164⤵
        Modifies registry class
        
        PID:6268
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        165⤵
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        166⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        167⤵
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6532
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        169⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6696
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        172⤵
        Drops file in System32 directory
        
        PID:6844
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        173⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6892
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        174⤵
        Modifies registry class
        
        PID:6960
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        175⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7040
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        176⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        177⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6160
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        178⤵
        Drops file in System32 directory
        
        PID:6236
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        179⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        180⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        181⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        182⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        183⤵
        Modifies registry class
        
        PID:6816
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        184⤵
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        185⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 408
        186⤵
        Program crash
        
        PID:6504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6928 -ip 6928
1⤵
PID:6348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
56KB

MD5
416437112f3d342a48e27e29065b387b

SHA1
6885430566638743001acabb315b39b6d229423c

SHA256
2ec81e7e309f9fcbc1f4328df08f62853b924c9e46ca891a8628d6e6c940f791

SHA512
31a43dad7c8e2e3f9c890c29e03a8e2ef431db1e0b61103343a1ff80d07fcfcfdbf23e2513ea77e7866fc0c35834b14c6e13de5ae5b2e029ec70a5608eba8eef

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
56KB

MD5
9d359542223e65b4d26d9aa18be53e2e

SHA1
5278baa7dd3ccaca076f370c6594180bd488f8d4

SHA256
69d8b83a86a7ef4739fc31d96b3b7bb9c72e059e83997276fce8bbb9587e3ae2

SHA512
02b58b5227fe676cef7501a9edc0b9e6374ca00109910915ca697aeff7fd4c37371dea16641110dbc1473c5e11707a7391b41ffc582ed89bdf17f31e8c9190db

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
56KB

MD5
57118e28c4212b0c4471b424fdb0ff48

SHA1
b2fc87986310703b353e3ccea65b27c1954f22ac

SHA256
401b168c81fcbb7b13e4440a980935aabdcb171d89bf63e6adfad216ec495e8c

SHA512
3088b0d13d99a1e4f454465e3bebedf8586d63766c360951c5d9327be5ec189f5aa9db6045dd64c1affaff58928a240cee796553048ef171c936643622ac060a

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
56KB

MD5
be656a938139df0f9bdf317a55d325f4

SHA1
4b6eb6304fb8aeda5cacf63746dc868b6c011146

SHA256
59d80c732944ddb1df6a768491c706c89753a198975b1f1e238e5496c24a9254

SHA512
d8abd7249482e2d7564e300577c07c04724a2b3ee4a1e3500c266f9df301ab1b732a674ef2974f32a9fc8c6ed899535b0e873efbd92d6ee804e4442eed185da8

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
56KB

MD5
ed85f4d042a9fc48e347b2df4457c575

SHA1
e3cbe49e4cff816f054c3728fa9b41f950774078

SHA256
79dbea067c1d18973a9a543191dec09baeb6ed07dc88d176bb661a4d2193ca83

SHA512
6ddc681ca5e2fd0f7c117f31a8c8c61c582abfe32816186a138bbd0c368ace370f0145c9ea470f43b6709090feb00f57ca4ae066a50a1ed72909db7b3a1ca55a

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
56KB

MD5
bd36a80a1e3b1297e0643926af0fcf67

SHA1
5f8d58835dac5821a4f53a45980f7f5b08796ef8

SHA256
85825dc7868ba271a46eaf329d3f3f5707b61d5a2f0bf6bc76b02dabc35aba63

SHA512
5e75e965efea2b83a37de638a05c825abf80f7a0cda097019807ce7c9153c5dcf59d3423f18e4dabef44d1b7e05292f526546acbfaea07149f1ff72f7ed554b6

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
56KB

MD5
73ffef4fcc9fd1cb77addf4ff4155378

SHA1
bb541183373d07bbbc78c778638a806201bff822

SHA256
021b2bf9f50650de1d0affeb705bf729391130df1523bcba265516ea02e0db1a

SHA512
5f451fbad548e285ce344d1612720dc22adf3d41573fdf2c4ee695dd025fd8c130182fd00f0fc2218f5707a9d420acc347e1dba092217d811578cc1f4b9ad29d

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
56KB

MD5
f08510cb288a807913c391e2e00666b7

SHA1
2b6d4af52a942107a68acc1e56a7b912af3c0adc

SHA256
c437768475df1097453dff21acb3583229aeaf47ab78c7c2c8bec51563192420

SHA512
1cbc33f3389bbdece6f02c662f733d8e204ba02164c7dade454bed778241d5131fdde571e8a57df1739966949995b6476f8ab3bf0d831defa0f378e8f2c8662a

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
56KB

MD5
25bdd25b2f8660f1fd058da34364a598

SHA1
27e847c4b1941c83a060c8ebc936140e508d3de8

SHA256
1ed9655bdd39bc356a61179a0b703760d9d3ded1ae1102954919be78d97e9764

SHA512
e4dcb9ca8c2d6c63e676ec44f7261b6faf60b044bb7579ac4ddd82882d3412050cf7c3097e1d844b15941082df970a65e11ea4f79858c74740a6ae97967818b2

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
56KB

MD5
8068e0ddb8559f96758e33814a1d5c80

SHA1
89c213238d940cd1c36026bab33a03c7879ae83f

SHA256
204f2890e87078dd933f749bbd7be162bf0579bd5f0eb2a4d7eed19bddfe47b6

SHA512
8a7ff4512ce77f96e4c4f291dd4dde1227683bf5c9f8006aa1d63d86249aac5d143d9d75dc97361d57cf9c45608b2fbcce424a40e252578a038b0f2dac292567

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
56KB

MD5
f95ee347b228d7755af4e6e37bc59fa0

SHA1
83ffc9cd9634488cdac44e399f4451dc93be2cd0

SHA256
759689943fcb6378734ca0dd0a84805a851bfc861619b721da20acab469eb169

SHA512
4744220037d506ff2732050f56ef6b7a684ad5cabc80ecc167f5a0d5fb411e8ed7f2c9fd22bf83b56f0345fe3ebec4426e230b270f2bf28b00dfe12066b60b18

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
56KB

MD5
56138660eaf8ca706f23b852592eb53e

SHA1
5fd12f775cf8d219248a53d6e6bb303f763d3ed6

SHA256
b8a68de956de52b2970199440a3090a2298208edf5aa58f3d643f8dcce7534f1

SHA512
a04fe990425725d28b41522138ab33a0e6228195a46ef9b9362f5ecdd907cc4b210aaefaf4c9cd725a2c5ed36027dd17059246505d1d1566ed29cb8e6f0d9657

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
56KB

MD5
26d227d2853ee80ffd757658ddf800fa

SHA1
14c0cccb64820bb616f02d4baa315774ef4580c9

SHA256
a55b789a6c8a063161d6dd6d053020c89ab1f66acf328f20259931f48f02d0fa

SHA512
3dec628a9c4dbbbdb505408a296b20f73da336c2c1028610a5e3bfdff2b3d2ac9c5dd86cdbe65810dad6be7b379dd7ab4ab14eca7b6cffbf08171477e843f49e

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
56KB

MD5
836bd9b97e019105ad353ea8cd30b4ba

SHA1
7d2508fe583b56cd9302cc2dd3fe40b28f2088ce

SHA256
5eb8e050486364a6ce34eb11ca6b1a496c8d3f37bb9be12763b3715fdac5352f

SHA512
62a678fad18e9a4dedf326f2f36fba9faa4580829fe3354b210c2150d9bb940b5c8101259520550f3236e89d153215ee31b31604e315a0bb9c1e0406ac97b91f

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
56KB

MD5
1621efcce88e48cc5f687fbc1b85664d

SHA1
a057f59b8816e8ba2ca7ac418a8ea15940871aa5

SHA256
0264b2880289331048468d32630150981f776522783398c04dc633251df45804

SHA512
8a1937a45a28b6a25d99770036cef7915b13dffac8cce1782df769eb80fc2f5b494ccedd1641dd68410faa90f4e332b4e5b3b561fd3d5d674c59f720e625b28d

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
56KB

MD5
dc078c8bc180b151ea44866df751fb8b

SHA1
ec804258d2d8958b9b54f460e81af25365d06591

SHA256
edb5a47d5c45a31bbfa70f235a53b45d10e20ce393adad3662c7f6f610b6b15e

SHA512
38e68f6ce39ad3c1d19002f63048e4110fbcae6ba85f7cd8a59905e38416fdf5b0f5418f9979debe02aa19548f05e4ad56d59027de433abea20c3da771b732d5

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
56KB

MD5
3387cc438bf2be7ee07ee382f81af0cd

SHA1
dd0ddbfba38346c9f37bfc6d20e422cbbed40c4f

SHA256
3566dd27baa4b0e6bac2ab46b83595c0b7936783dcd068ead1a9d4ea126161e0

SHA512
32842829cdb400052436514caeb55dcef9ec9ecac8d5d35de404189b1970aaf4f95f8267caecd857410e5b4dcc296971269368e01ab861bc57f3023e57f1e8ed

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
56KB

MD5
ab578a2823764b59d896677c75c9ec33

SHA1
9c9994c35469fa80e49fe6fe21a367a3fbfbf1ab

SHA256
191a244af366769f55aae838f4b00fa746147dd4fffd9396ec7e3f941a80bd3a

SHA512
97a546ca80cc652b402f75d4a78ab74a80acbda6f81fa642b60f96733864eac1532b54904d1f5d679b4378e375bf4256f2cacca68dc72f1c804eafa3fa23a0f4

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
56KB

MD5
0407695124c6aaff7b487b5c4b612694

SHA1
f76c202afb3c28dddbda4d1fa4850420412b63a4

SHA256
a3ef53da6802f99052ae9eb045345c4dd792e0be5725d7274ee2c7d9e345797d

SHA512
2e64f973f8e45fd16a8b24b448ce072ae78a65aa719aea9c62ac9c4f5da2b14d3321ce5c93a3a055b4170291e2ffd800b1e6190287e695885903ea89d8a651cb

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
56KB

MD5
f3eb3dcb32926b784dda7fae749efa66

SHA1
652af0a8eefda479937cdf57606a4b1b76dc90dc

SHA256
3a01fdd965ce23858ba3617ba8516e8eb116a4bf7b952de6767f323449f8db3f

SHA512
736314aa1c143c849757ed6487b7edf063d7b50ab7988b90a3a913321aa14cdd29adc0ba8e6138b4fffb4d830e2fe43e4f0d124065c42db1a1ed0295ea83fe55

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
56KB

MD5
f8843cea8136dcc207ff78da1002f40e

SHA1
a6a3e73cff2b326db1ce7a7120520d3d453c70a2

SHA256
e9a529212372dff4914d93ba05f050e940d318d64e6ab6d753403a54fdee5f0f

SHA512
c0937c2a0ce668abf656d192d920241ead7d5bdebf1827cff9c24f836f758ef0efa3bc19c25165368dc54e2f19dc608802f55a933536568a3d6d76ec07c5dc3b

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
56KB

MD5
7770120d707d6b06eb053eea482b0a9e

SHA1
47cb6f538b95a5628fa4077c28ddc5b3385451e8

SHA256
9b1d97950caba6b1718863a73009ac9381afadcd55b9478c058c27ef7cbbfce0

SHA512
e87271b79f281050985da326caaaa0bf1aff53a6cd70cb3b0ade816488ee05a6c992fac2d6cf5571c6b1d64ec9dc018c3c6c7304bdc778667cbdbf71c8b70be9

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
56KB

MD5
076897ee344e6b1e42cd61d9ec6093a7

SHA1
ae68d6453739f3dba2ad06f29c3b8e3127eb72bb

SHA256
01cddc24d64c6473f27ec39b23d1100fd9d7f762395585716459b88b9602c0ab

SHA512
ae15e8b3b4069fdc0f15acce273510524edfc6d0652478a9de1d6fb86eed7177a88c58ccd60892bbf997f4d3a8b5e41d8679f13207f669b69ab31cd6cf15b037

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
56KB

MD5
51468ab03390edba442e02f476406132

SHA1
2a0b0fb388abf1aa41aaa54cec37211a2417a166

SHA256
8f2355e5df1689a10cd6301cab89cd82f8935a7d3f2b8c8d072e780ff0d545f0

SHA512
9f57d2944560f7be798799a6f83f57159ba13458b95a32caa80507455c156b94c3ad8c1ef96d8670d794867012a51af629926e9a2da21ec9407fdee1a69df98c

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
56KB

MD5
a9e82d796297c32342639b2f09e08868

SHA1
e18494f3311d3922ae795e4c59f398a2db0a4d34

SHA256
b84deb529f08e4ec10928e54936981480b06b3f59dd7b6145e641533ac1b7482

SHA512
b536e3ea921dd296a9b638b0aaddbeeef6ee2d8f8ecba63c4c1a4c038ed40c4a7618adbce7a59d4ad08297f4baec9c7b3e7ea9fa25281fc26ee87030e0012d92

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
56KB

MD5
c81d35455e35d653abd137e208d79303

SHA1
0be9e90073d809f8a053bb096a6d4cd7b45794f8

SHA256
9c731520acceba30b822b6cddb171032b2916eb52da96237b8aaa65c6b5696d5

SHA512
39695642d84989fbae2e658c4eba8ada4221b220208145557fdc3dbf796cff7d384250396849fc8d5054cb8e5ce264d3bbee869eb3708436e395263e4a108f57

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
56KB

MD5
a4a6e518317c5379f9d11ceae62c4d0f

SHA1
7e57202a3002a082e4ac0b9ff4fd9236e1c0516a

SHA256
40dd8c39ad959f1c3b5fc3dca4778f13050296ae694c80c8adc254fff52940cb

SHA512
29f79c57ebdba67d969cbfb37d3851178411bb15e1acb2e826d900c60a4d775aba7478a6845a81f03d5a08f1b521a06783d1eb84057cef39967588afa823b11c

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
56KB

MD5
957d560e53a0aefe80b7927abe153762

SHA1
de51bdc2d7aab3a1b846280f10821c5a97186363

SHA256
3789836f0fafb1d0d7a8beaa00989a74421685b23c5aa65dee7cd3e9b1a788fc

SHA512
dbeb91da93e9320c983e9cda58eeecf2799f766d4178689e37029432e305d7ceb1a049085d91c09a1d27004ebe597c1dee112b53f132cad281c10a6edb025dcd

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
56KB

MD5
79345cecf1f1695205ce826508210e95

SHA1
e4e4d01e7e7d28a057e231564e9110170994ff3a

SHA256
88b289b387a9f8cfce4f5be3f8e84fc0935f1a85b5d4275213856090916844fe

SHA512
a50fc37cbb60ba478f0539e185422369dc4a7a458653cef67f7589088cad043e08b0430a4241a70b2fd49d43b43af8f2444a04dc1df906d6c280a55a30dae8ce

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
56KB

MD5
89c02130fd38bd1c78c96d75b92f5035

SHA1
be97ed6b94dd06c5ed315931de907a6f9e93c7b9

SHA256
81c72755fc164a704eaa3a169843c618d4ca81419bad5ef25027d0fc254b703c

SHA512
74a9a4d7e06079cfea30419d843b4907224099524b7f1c44e7a553483c331d80e75287a22913ccce6ef24d2647d6aa9d5785ad84169235cd3b79f3c141c3695a

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
56KB

MD5
ec8c69cc7c2cc511961df961f78cfe66

SHA1
c6f60eba1386b31e46a121eadf578c85f27ec695

SHA256
1a866658d699a8a02dade0f7e05a521ecafd59533a5795f958109fe15867fea7

SHA512
37ea1cad31310f840d40f3372105f64a67bc0fa0dd24489404702e59149854ca41e212bf8ffa3a9e161ce2a15d19067e8f1a44bf0fbcecd1774b505b60535c15

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
56KB

MD5
d671b3fab5b7637cd54634893efd334b

SHA1
26abf4d507185c0e6596bd5a7591a2eeecb0c037

SHA256
739a9956601bf712ba88a4bdeeb830658b8c41ac44cb8a0e5bedf31efee02d18

SHA512
7951941283fb194efee9c25f91eb38fe67092f22ed522c68a34349e17c58a4ca4a5acf3f6c9653a8eff433a470d290f1ec1a742346eabfc23785612695f56fb7

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
56KB

MD5
5e322965bd5ba07ef23c30dcaec3136d

SHA1
057c94aaff7335debdc60815122e11ede9dc8385

SHA256
6ae5b11a275302f2bc68100b696169f2cd93fce4147c46a1191a5267056df960

SHA512
4b89bc38e4f38b9e094ca857d974f35469272d6ada78fc9ee7797d8ccf646629ebd24c92a8bc44c73d5fa924dbc6bbbc76da3702813c799b13cfc8e6887edd26

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
56KB

MD5
2a0e15a6438c9a3ca52129774f9ff1b2

SHA1
8b5e3c48e3a5e0e5529dffbfc53b50da71e04bca

SHA256
2bf0ebf4a800b9ce583cbd4a796e9f89889c1401cf3dfd7171f6071f039cc85b

SHA512
2b5790e0a0b51b84d3946cb37cbffa50715ac99d1957389ea6a011018aeb56059fd72a3c25a8039b880b0d03df4d0346b7c74ecf3d7e866e4b22b9f66bc5b181

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
56KB

MD5
a5c643b30c42b3879aa3b78b3cece017

SHA1
29a7efb45220ea59b64c38f865fa408396cdea37

SHA256
35ec758700f1655a5e842ab8cde8f7cdbb6a91499dcfee4bd78109f906c32f60

SHA512
406253f1b74ae40f376cd65686921d1f461797ab147c066659e0393518de9727dcefd7b32e5f2ded6a74f820c9085cee9c650e302d4301a6b54d895a576d7205

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
56KB

MD5
75a481084a11bb004fbde4c4a8966d6b

SHA1
c60402ef44e8bbf2668770a4108a8839ea75b95e

SHA256
6b273dc75d0c57287a6d14e0f8f37734ec06b4aa35c19907f06793548a86ff95

SHA512
b8f73a2eb7d38eeb4567cfbcd0e276f37389e70a57b705b1ba9f50fb44b93ff25a274ac5c64608a3a31baf45b759c6314cdafdb3bf3ffb53eadae90c8581d6f5

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
56KB

MD5
7b6e9d81859f3c2415eb2a34399b232a

SHA1
26516a3c527a7da83e6443fe96581bfafd40b618

SHA256
44c866a829f9822155ec153765fc99ec90feb2901161568101784558505dfe9a

SHA512
52d5d09d016e7a9bf07aaa2771b6e361cce789bc1a19b943fe084f9e5e504e740d42b8774d451bdc22b638deb74fc8028a79917486d41e4db762de2e992dd713

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
56KB

MD5
49b9e0b8f8791fb06b73d22661e9d076

SHA1
8aea4eabb3304e1698e8d6a833edbdf7d2971fbf

SHA256
39ba0517698b85f07da23bd007f5936f9a64fbae57437220892b78a2b43df64d

SHA512
b406b0a2818cba706e153c0eaf630cf107d1d16fda23142244e5a5440090f8798c00950e886b42b4b47e6b4dcbb1b1154dfc9eea7a100eec029e036813ac6f2c

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
56KB

MD5
b85301de43d97ab400624292c9605ef2

SHA1
dba46eebdc9d19171fd1321479bb87f6326ae356

SHA256
76c7091dd964ef38785dae00af57ae00b50f8736c71ab6eac537f74cbb6cba9d

SHA512
8cc6b618e7a9c1febbaae25545b2903b72ded874f818a0bba0cf859c8f4ec81c9fb5b0342f45c3bd5918c5668d57bfcdcb5bdbed3e7360384499211df41bfd43

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
56KB

MD5
e0bbf480b8de5d675418949826ea6870

SHA1
0cf58a922f74631bcd06ead55f0de6b815edb176

SHA256
3b2ae847bd3ccdeebdf7201653a1bf6601f32ebe6d94f85b9412031571b71ab3

SHA512
a7306f97473084432e0f9efc10d024bcefdbc1f590609eab6c06211220253b289f73126d6ba9ca76aecb8b10abaf8bcd6edaa69dee7dda2acaf7f2902830a0bb

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
56KB

MD5
9d3c54ac9a045e5b6d23967209f31ee4

SHA1
0f317a0186231ce03cbb9bc59f5e2fccd8705722

SHA256
58c57c5e600a8f0f2ecceb4af08db245a591ed3ed699eb7665ad504962f2fcea

SHA512
e7176c381427b2d28da945aa2d048ec44d66d33a8ee714d05637a326389e9b0a1fc4335b3253969a6b3c932990b6851e01bf944d156ee5a290f604645358d60f

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
56KB

MD5
ab57a631cd57308071781e4acfb8fb26

SHA1
866f5619446a4460c52cd162a6773e36d241c9ae

SHA256
a51207ec92a1975bd4ede3daa485c685688df537f7eb5f2d31eb4889e025dbb8

SHA512
7ba20fb1583c8e869c9cd876715c4ccf52dbf2e0e07dd496687ee3a409b58fb0983b7fc6554f74bf71afb5d61334e447ce89a5c609db1dc78b564600f85f0ef0

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
56KB

MD5
b4ee3249694209056b48311ccfc76c15

SHA1
441c583c08f50e330aedbbb10f9fcc7f4964ce15

SHA256
0e207086cc4c4b1ec727eb36af17a1df5987876673f774e339d9327c1513dd42

SHA512
a5088b0c8969541d24d21220646f20cb3ea8e544d09cbcc70761e443a65592d30a8a9a81784c0642ecd3b7d6d41cfadadd2820e88763e0e64d9a834eb36a1760

Download Submit
memory/244-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/804-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1364-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1772-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2000-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2032-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2436-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-453-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-432-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3368-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3400-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3400-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3468-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/3556-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3584-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3736-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3780-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3884-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3944-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4060-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4340-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4444-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4460-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4480-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4548-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4556-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4608-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4676-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4804-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4876-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5012-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads