5899f5e11baeeeceaeb4f4c9303422d1a58560c03a37ad7f67669c1939fbc3fc

Analysis

max time kernel
92s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5899f5e11baeeeceaeb4f4c9303422d1a58560c03a37ad7f67669c1939fbc3fc.exe
Size

400KB
MD5

35b869eb630611d2824a615110f0024e
SHA1

b4a5c2fbe888a598a0c75a5388d0a9f9c63541f5
SHA256

5899f5e11baeeeceaeb4f4c9303422d1a58560c03a37ad7f67669c1939fbc3fc
SHA512

da5e88f91b4030811161ba3c3c957ccf196c0219d27b75f94aeb0cdccd98c568d352f8fcdabc9e0a95a49cc7d1ed62cc264fdb51c47f64c8e6da1a9d771372c6
SSDEEP

6144:/UR5QOrndLAY/Xr4Br3CbArLAZ26RQ8sY6CbArLAY/9bPk6Cbv:8R5D5Rrgryg426RQagrkj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hccglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoocmoao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Giofnacd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckhdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ficgacna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djlddi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejbkehcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5899f5e11baeeeceaeb4f4c9303422d1a58560c03a37ad7f67669c1939fbc3fc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjflb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipegmg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebploj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haidklda.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffjdqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbkjjblm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laalifad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakaql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe

Executes dropped EXE 64 IoCs

pid	Process
4352	Djlddi32.exe
1720	Dpemacql.exe
4504	Debeijoc.exe
3064	Dphifcoi.exe
1120	Dpjflb32.exe
1808	Ejbkehcg.exe
2932	Eoocmoao.exe
728	Efikji32.exe
2712	Elccfc32.exe
2856	Ebploj32.exe
4944	Eleplc32.exe
4580	Ejjqeg32.exe
2560	Eofinnkf.exe
2680	Ehonfc32.exe
1636	Eqfeha32.exe
3028	Fqhbmqqg.exe
3368	Ficgacna.exe
232	Fqkocpod.exe
2024	Ffggkgmk.exe
4268	Fopldmcl.exe
4040	Fckhdk32.exe
2384	Ffjdqg32.exe
3164	Fbqefhpm.exe
3488	Fijmbb32.exe
1464	Gcpapkgp.exe
1776	Gmhfhp32.exe
1980	Gbenqg32.exe
3040	Gjlfbd32.exe
1884	Giofnacd.exe
544	Gqfooodg.exe
4464	Gcggpj32.exe
3032	Gjapmdid.exe
4108	Gqkhjn32.exe
4128	Gcidfi32.exe
2740	Gifmnpnl.exe
1232	Hclakimb.exe
964	Hcnnaikp.exe
904	Hikfip32.exe
4528	Hpenfjad.exe
1432	Hfofbd32.exe
3084	Hadkpm32.exe
4624	Hccglh32.exe
4272	Hfachc32.exe
372	Hippdo32.exe
708	Hpihai32.exe
2068	Hjolnb32.exe
4980	Haidklda.exe
2416	Ijaida32.exe
2008	Iakaql32.exe
5004	Icjmmg32.exe
1420	Iiffen32.exe
712	Imbaemhc.exe
4840	Ibojncfj.exe
1596	Ijfboafl.exe
2768	Imdnklfp.exe
4364	Idofhfmm.exe
1168	Ibagcc32.exe
820	Iikopmkd.exe
3752	Ipegmg32.exe
2196	Ifopiajn.exe
4456	Iinlemia.exe
1580	Jdcpcf32.exe
4900	Jbfpobpb.exe
3348	Jiphkm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gcggpj32.exe	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Jbkjjblm.exe	Jmnaakne.exe
File created	C:\Windows\SysWOW64\Jbocea32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Jpckhigh.dll	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ifopiajn.exe
File created	C:\Windows\SysWOW64\Jpojcf32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Ddhbep32.dll	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Ggcjqj32.dll	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Efikji32.exe	Eoocmoao.exe
File created	C:\Windows\SysWOW64\Gcpapkgp.exe	Fijmbb32.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gqfooodg.exe
File created	C:\Windows\SysWOW64\Gifmnpnl.exe	Gcidfi32.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Jkageheh.dll	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kpccnefa.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Hippdo32.exe	Hfachc32.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Ipmack32.dll	Ipegmg32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfpobpb.exe	Jdcpcf32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Akanejnd.dll	Kbfiep32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Eceakm32.dll	5899f5e11baeeeceaeb4f4c9303422d1a58560c03a37ad7f67669c1939fbc3fc.exe
File created	C:\Windows\SysWOW64\Efikji32.exe	Eoocmoao.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Ibagcc32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Jidbflcj.exe	Jbkjjblm.exe
File created	C:\Windows\SysWOW64\Ggpfjejo.dll	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Cgkghl32.dll	Gifmnpnl.exe
File opened for modification	C:\Windows\SysWOW64\Idofhfmm.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Dpemacql.exe	Djlddi32.exe
File created	C:\Windows\SysWOW64\Hofddb32.dll	Fckhdk32.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Imbaemhc.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Dpemacql.exe	Djlddi32.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gcpapkgp.exe
File created	C:\Windows\SysWOW64\Hcnnaikp.exe	Hclakimb.exe
File opened for modification	C:\Windows\SysWOW64\Haidklda.exe	Hjolnb32.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jidbflcj.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ffjdqg32.exe	Fckhdk32.exe
File opened for modification	C:\Windows\SysWOW64\Fijmbb32.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Lpfihl32.dll	Idofhfmm.exe
File opened for modification	C:\Windows\SysWOW64\Jmnaakne.exe	Jdemhe32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6060	5972	WerFault.exe	206

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaida32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiagblgj.dll"	Dpjflb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejbkehcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnlpfhd.dll"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpfjejo.dll"	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elccfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqfeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhmhq32.dll"	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Icjmmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifopiajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpemacql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miimhchp.dll"	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgiacnii.dll"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjolnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpihai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnplgc32.dll"	Hpenfjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibadbaha.dll"	Hippdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbenqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcjkf32.dll"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmlgol32.dll"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5899f5e11baeeeceaeb4f4c9303422d1a58560c03a37ad7f67669c1939fbc3fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgpaojg.dll"	Dphifcoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjikbh32.dll"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhjb32.dll"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijjfe32.dll"	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeebd32.dll"	Fijmbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmdfpmb.dll"	Gcggpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kflflhfg.dll"	Iikopmkd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 4352	1112	5899f5e11baeeeceaeb4f4c9303422d1a58560c03a37ad7f67669c1939fbc3fc.exe	81
PID 1112 wrote to memory of 4352	1112	5899f5e11baeeeceaeb4f4c9303422d1a58560c03a37ad7f67669c1939fbc3fc.exe	81
PID 1112 wrote to memory of 4352	1112	5899f5e11baeeeceaeb4f4c9303422d1a58560c03a37ad7f67669c1939fbc3fc.exe	81
PID 4352 wrote to memory of 1720	4352	Djlddi32.exe	82
PID 4352 wrote to memory of 1720	4352	Djlddi32.exe	82
PID 4352 wrote to memory of 1720	4352	Djlddi32.exe	82
PID 1720 wrote to memory of 4504	1720	Dpemacql.exe	83
PID 1720 wrote to memory of 4504	1720	Dpemacql.exe	83
PID 1720 wrote to memory of 4504	1720	Dpemacql.exe	83
PID 4504 wrote to memory of 3064	4504	Debeijoc.exe	84
PID 4504 wrote to memory of 3064	4504	Debeijoc.exe	84
PID 4504 wrote to memory of 3064	4504	Debeijoc.exe	84
PID 3064 wrote to memory of 1120	3064	Dphifcoi.exe	85
PID 3064 wrote to memory of 1120	3064	Dphifcoi.exe	85
PID 3064 wrote to memory of 1120	3064	Dphifcoi.exe	85
PID 1120 wrote to memory of 1808	1120	Dpjflb32.exe	86
PID 1120 wrote to memory of 1808	1120	Dpjflb32.exe	86
PID 1120 wrote to memory of 1808	1120	Dpjflb32.exe	86
PID 1808 wrote to memory of 2932	1808	Ejbkehcg.exe	87
PID 1808 wrote to memory of 2932	1808	Ejbkehcg.exe	87
PID 1808 wrote to memory of 2932	1808	Ejbkehcg.exe	87
PID 2932 wrote to memory of 728	2932	Eoocmoao.exe	88
PID 2932 wrote to memory of 728	2932	Eoocmoao.exe	88
PID 2932 wrote to memory of 728	2932	Eoocmoao.exe	88
PID 728 wrote to memory of 2712	728	Efikji32.exe	89
PID 728 wrote to memory of 2712	728	Efikji32.exe	89
PID 728 wrote to memory of 2712	728	Efikji32.exe	89
PID 2712 wrote to memory of 2856	2712	Elccfc32.exe	90
PID 2712 wrote to memory of 2856	2712	Elccfc32.exe	90
PID 2712 wrote to memory of 2856	2712	Elccfc32.exe	90
PID 2856 wrote to memory of 4944	2856	Ebploj32.exe	91
PID 2856 wrote to memory of 4944	2856	Ebploj32.exe	91
PID 2856 wrote to memory of 4944	2856	Ebploj32.exe	91
PID 4944 wrote to memory of 4580	4944	Eleplc32.exe	92
PID 4944 wrote to memory of 4580	4944	Eleplc32.exe	92
PID 4944 wrote to memory of 4580	4944	Eleplc32.exe	92
PID 4580 wrote to memory of 2560	4580	Ejjqeg32.exe	93
PID 4580 wrote to memory of 2560	4580	Ejjqeg32.exe	93
PID 4580 wrote to memory of 2560	4580	Ejjqeg32.exe	93
PID 2560 wrote to memory of 2680	2560	Eofinnkf.exe	94
PID 2560 wrote to memory of 2680	2560	Eofinnkf.exe	94
PID 2560 wrote to memory of 2680	2560	Eofinnkf.exe	94
PID 2680 wrote to memory of 1636	2680	Ehonfc32.exe	95
PID 2680 wrote to memory of 1636	2680	Ehonfc32.exe	95
PID 2680 wrote to memory of 1636	2680	Ehonfc32.exe	95
PID 1636 wrote to memory of 3028	1636	Eqfeha32.exe	96
PID 1636 wrote to memory of 3028	1636	Eqfeha32.exe	96
PID 1636 wrote to memory of 3028	1636	Eqfeha32.exe	96
PID 3028 wrote to memory of 3368	3028	Fqhbmqqg.exe	97
PID 3028 wrote to memory of 3368	3028	Fqhbmqqg.exe	97
PID 3028 wrote to memory of 3368	3028	Fqhbmqqg.exe	97
PID 3368 wrote to memory of 232	3368	Ficgacna.exe	98
PID 3368 wrote to memory of 232	3368	Ficgacna.exe	98
PID 3368 wrote to memory of 232	3368	Ficgacna.exe	98
PID 232 wrote to memory of 2024	232	Fqkocpod.exe	99
PID 232 wrote to memory of 2024	232	Fqkocpod.exe	99
PID 232 wrote to memory of 2024	232	Fqkocpod.exe	99
PID 2024 wrote to memory of 4268	2024	Ffggkgmk.exe	100
PID 2024 wrote to memory of 4268	2024	Ffggkgmk.exe	100
PID 2024 wrote to memory of 4268	2024	Ffggkgmk.exe	100
PID 4268 wrote to memory of 4040	4268	Fopldmcl.exe	101
PID 4268 wrote to memory of 4040	4268	Fopldmcl.exe	101
PID 4268 wrote to memory of 4040	4268	Fopldmcl.exe	101
PID 4040 wrote to memory of 2384	4040	Fckhdk32.exe	102

C:\Users\Admin\AppData\Local\Temp\5899f5e11baeeeceaeb4f4c9303422d1a58560c03a37ad7f67669c1939fbc3fc.exe
"C:\Users\Admin\AppData\Local\Temp\5899f5e11baeeeceaeb4f4c9303422d1a58560c03a37ad7f67669c1939fbc3fc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\Djlddi32.exe
  C:\Windows\system32\Djlddi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\SysWOW64\Dpemacql.exe
    C:\Windows\system32\Dpemacql.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\Debeijoc.exe
      C:\Windows\system32\Debeijoc.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Windows\SysWOW64\Dphifcoi.exe
        
        C:\Windows\system32\Dphifcoi.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - C:\Windows\SysWOW64\Dpjflb32.exe
        
        C:\Windows\system32\Dpjflb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Ejbkehcg.exe
        
        C:\Windows\system32\Ejbkehcg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Eoocmoao.exe
        
        C:\Windows\system32\Eoocmoao.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\SysWOW64\Elccfc32.exe
        
        C:\Windows\system32\Elccfc32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        27⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3084
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4624
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2416
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        52⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:712
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1596
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:820
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        64⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3348
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        66⤵
        
        PID:768
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        68⤵
        Drops file in System32 directory
        
        PID:732
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        74⤵
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3132
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        76⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        77⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        78⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        79⤵
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        80⤵
        
        PID:620
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        84⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4940
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        87⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        88⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        90⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1384
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3372
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        93⤵
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2748
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        95⤵
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        96⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        97⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3484
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        101⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4196
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        103⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        105⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        106⤵
        Modifies registry class
        
        PID:5160
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        107⤵
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        108⤵
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        110⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5412
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        112⤵
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        113⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        114⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        115⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        116⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5708
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5792
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        120⤵
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        122⤵
        Modifies registry class
        
        PID:5932
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        123⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 400
        124⤵
        Program crash
        
        PID:6060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5972 -ip 5972
1⤵
PID:6036

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Debeijoc.exe

Filesize
400KB

MD5
c34e84c4fe18a7c4b0187ccdbae37b24

SHA1
071bc0cb6d3c50f3b5348adc2345e3eb5839f91f

SHA256
e81fc4e5a3637c99f197640d7bec9f3efc5fbe6a73458f09a6f6300651e59ba8

SHA512
9e8a519030005e04ea78f359ac53cdedf8f57bba62b53bd22489988303c87b49e900048716c3af6de25031d04460e4bc64e70c044f64be953caf15d6eed17d48

Download Submit
C:\Windows\SysWOW64\Djlddi32.exe

Filesize
400KB

MD5
f900ee8ed97a3b00bc6b1870eea01a7e

SHA1
44013586690afbe1cad53ca52aafc91aa677fc22

SHA256
f190280ec3e105b96f24320400a429ae991d43d4c16bdab68ef148f3ba3cf9d4

SHA512
f4d720549f9a015559d030334a8db81797c44966b31ec5a77e5e64d5f5ca7afd037f76b022bd46fda0956a7cc9ce2bc0b9786bad5362ccadfe73e85e412adb0d

Download Submit
C:\Windows\SysWOW64\Dpemacql.exe

Filesize
400KB

MD5
dc0c9e524f5327fcd08142530d755a77

SHA1
a8e11d4cc0c8db4679d7e1cd795ed9e3d7c5203f

SHA256
e9507f1c886f6240f8350a0103e5c56b56490fa5a39cb000038fd8c452530ec8

SHA512
44b1c4f5cc83393405d3f379c717ae9cc071be66cf61a9ae139c0e6054e93f11286ae8aa30489e51d5040a8e8de4f6d7584703fc76e522458a1dacd9b7a10ec0

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
400KB

MD5
93cc54f21fffcac4c5ea3c9ab55b5db7

SHA1
74ad93f1d44129dae1228fb9086b4779ff800da9

SHA256
905c76c3a343e6f9de827bf605d7c56d9e6a9b4e735f05971a54467c4a3e7ecf

SHA512
761d66e901b57434644fd82be92285c445b4ed5b9db09db74239389cddc965452136ccdce44391c7dfaa085358c400981a162b2dcce955136604a07596dd8ffc

Download Submit
C:\Windows\SysWOW64\Dpjflb32.exe

Filesize
400KB

MD5
cfacd912b91469e1817f63308d969a69

SHA1
68da851da02df617d289635b966acf5b9099e67f

SHA256
e5c26f00539c202dbe46c0453716fbabe89c884e45409814e5c797d275c96a08

SHA512
95b7a65dc54e711ee30a5303caeb964710fdaba4fec4f62937dd54e17bf89700cbcc33e0244bd78d52c816f0b10869d19c5682253921728ac2d7a5181cf4d8ef

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
400KB

MD5
24d024f2c812d96f897e59746c548df7

SHA1
6e306070c6024313b625dc42c7cf3f39dd079943

SHA256
cba52943a9b241a9fd4ad808e4ae11dbf494b3c76503e4479842680a9ad9d9e3

SHA512
5ac19efc09be3840b8ef71de975d77cb1fe9a518e29c1f864cdb2a4e5cd77724801351f7b992c7e934bac75a692b4aafa5ee04476d19cc0f9127cb00c2457eb1

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
400KB

MD5
aae7c581c46a6cede2fcda03e7bb893c

SHA1
0249a24bf7915c2bec5f1339c86ee1b80e6927ef

SHA256
316f55c00aea7583fa951f36bd9f106393e0492a246f808b7b28542332bc5d7e

SHA512
821bc67d3ba4e853daf8370f4d96982f24218084f3e6c4227f460ce0a8c94c13670d6cb780c8107b8cdc05ea2d5b19a454286a63ef950c3606e5add74465ace9

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
400KB

MD5
11facba650089fad04f45a9d3047cc0c

SHA1
680f26c86f43b4451f6da9df24fc66a5ed1e51a9

SHA256
439265cb06e4ce4559a085ba68f3d3c4d13814b8d0b78acff91eb9369608650e

SHA512
f22bbf59ad2fb9aa58c91f0947149b66722f2f36a836da11aeb3e018f5e050360efd9d1a8b3aefda0e5c1245216b0b4028810c92bb9a8a3c25ec1c3dfc2a00f3

Download Submit
C:\Windows\SysWOW64\Ejbkehcg.exe

Filesize
400KB

MD5
3aec6aa0f489df8a6355ff251c620373

SHA1
c0387d6232cf80eb3e20453bcf6f71b43bce6117

SHA256
292355663ced024d44f8aa2157681bf3cdf42fe7f8c998874c1333ba475879f2

SHA512
b23d4d855a05543ddd5e16e524eb06fec105a0f9715bc4b16fc858293166956e1b058934d8fa9c814d69e0cbbcd64f559fa14c6d98e6366cb9e4e0cede473f4e

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
400KB

MD5
803c215219a478934f5dff30084433b2

SHA1
5febe1b520f1e1e039d890dca6e81f459d25ae03

SHA256
87a89b38debcbad2424e707a8d8dfa40868c8d7ad82c76f1a6c50f859e1f0496

SHA512
f56e47603d4688cc592e700206d9a2536dd05f2743186f2f706d7aa8ca355a31dc5332494d70b38842889429a0593e8d8dd41b2aae78c108630735584b3cd89e

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
400KB

MD5
c0c261b32082c0065313dbe133340252

SHA1
7d1daa8f737659a3008428dadd7d73122712bfc5

SHA256
be3dca1f1178a8577cfe649df08ee2ae609ad78c66bd781ac6270d301b0471bd

SHA512
617895afc182bef663477c008102f627e49c306b1cb49e5c11a0731ede9767fb4653b67450c1b9401a7bd9d2f289436a87996cc3b4ec735d4a94bbde0a349171

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
400KB

MD5
3072fc010a7774f0c52a66bd81f88ddd

SHA1
5b50346651536add1af1bc87944b36995a96b7d1

SHA256
870004f3f7bc45168d3312ae61cb463c3b2f656ba5552575973097b0690b522c

SHA512
3cc03449fa181a79ed4fbec66e7b5c57f0756dcb5a30acc2433e4f190a31de8d576a64743197592b6352a188992fd4a4ecd327eb4fbe45f968b1fd73dbb86ff2

Download Submit
C:\Windows\SysWOW64\Eoocmoao.exe

Filesize
400KB

MD5
e0ff185f611198aa17bd575371c0932b

SHA1
d08cd0c500972cd166b0e4a3512baa87e52ef844

SHA256
6a558a406d4cdef8ee6e289a5faeaeda58dc4df499cde7326a1ad2157dd14c09

SHA512
ab275ad015939eb37dddbf5458d99520610597b8c647561e8495570acc7ec8e99bbda50442b2ab4c626b6b8647c129041f867f1334c574635317730d515a4e9c

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
400KB

MD5
a2c7e950d9f45ba6a7efdf5da9c4b279

SHA1
2facb45325ddb6ee493bac6caa57895fdb346282

SHA256
946a8a4af1a1a4c3fccbc0a6a1e6e813dc93839847f529661dda672d7fa11f67

SHA512
3ece0233e24e381a426c662edf8271b01cfd9df36ac7e8e05ac6dc9582f8e024f3010dc626dcc660e19eb22a273d039b738014b307983535f43ce900f776b3d7

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
400KB

MD5
a21221424a5f028f7213a953c3418642

SHA1
c64d0477f68b78c81a37f166c5a8a5ab67029c32

SHA256
1383536044dca6c23aedd8513c60a8465b3f92d3a35e7c9bec0284e27d8cd47b

SHA512
aea4423af754a3795637677f228c62670cd62848e0ae0e31b97c37b4c00808d9ff53c7a675283b75c273e0a65a6fe6dcfb7bf8fedc6941c8c3da776f7ed19a7a

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
400KB

MD5
c1c5696056bff1b6bbc07b44de57bea7

SHA1
2fbd012730c708aeb116310a8fa0c6b0717e9f28

SHA256
8c5eff01f933777b025faff86a2d7da36408df27b6641580cbd9aadd67a8c564

SHA512
8eb9752080ca19f00b98d1533118bb1d62876f76aeae3d951250c28b22b43fc69c3a711b75c9b538afeecd7798c0827e6db5665fcc5c15d044477d56466d84e9

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
400KB

MD5
5b9f0fc81baa138ee7f29259777312f0

SHA1
d19cc1af47b6debac4ce850da737341a43e8247f

SHA256
5fecd8e9ea7a5c17b44d2c9ef552293741276cce557c0ef19a80233e04163525

SHA512
f40aa23628b3a931848bbb0fe63b86e65c6e4bce39f8de48fab7cd710364aefc99d14dd995194bac9144dcdc4079c0877f58d3c3a86a4f3c7659b528e31ecc36

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
400KB

MD5
4d89ef0c661635aad7df9df6d2166a52

SHA1
460775c0437b4326f83dde904c2d98a516d3d0c0

SHA256
9042948961a41b8e616143996a52b6b327cab115731ebbdb2a41b985df1d05fd

SHA512
fed984c4636f46b3f89bb9a16dd7aea7274a5027e3a0a8f84d1bef3cba9aab59cbe2f854350b76fba3671f0df1e5e6e627c274be010fdb1b94b7fbdc39b3f19e

Download Submit
C:\Windows\SysWOW64\Ffjdqg32.exe

Filesize
400KB

MD5
b140f17cf9916eaeb244bc84b1d61388

SHA1
977bb359b0db9a681f7b170d304a0d8329793022

SHA256
5ff065eca393dfef86e08ed17b155209a554d426d6ca7a9191aba7ff934872bc

SHA512
31849f45e45ee2cb4fc19950f9f3250443e67b5ddf806fe68b4146525ba772f80efa0d3f3ed6b437e449fc4a60bba7c450546ff103984ff3e119c3f4d183c7ad

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
400KB

MD5
6c1cca35b1c912f2b1fe9fa8d0eab992

SHA1
d0c6940faae049e8016269901b5abca3f7ac1030

SHA256
e7b2c902c87731d590500992adf4b78874246e12cadb4e2b2b5bd9a1869285ee

SHA512
3cdd17cd62f5ce48b5e8a55bdb95a583e1f1623188513e6122365ab4a25231c9ee21c6d78357c8d920fd1b7ef8c2fe5c9c9c5dcbefabc27c0e74f5a3578162b1

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
400KB

MD5
052f1e53e556f4adfea52d6cdf3cd467

SHA1
e5f6bde15f98a7d040c30b0470dad1583ee59891

SHA256
8e8b76f7f51e090960b0bcda7ff3075d1585ca26365ce4c278c9de1d25ba4b13

SHA512
5ce221c5d458221b51619ac48b2c86db9aa57b0d93e673b9bb14c0878546efbc745c2e389e4dcb66ea62caf0e0a7521c0cf5545933142db189e969b10509883b

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
400KB

MD5
48d485f23cd53ec60b0b04ad7dd82378

SHA1
45f910af2b6e30bf49b31fdd91ff05a42c89309d

SHA256
3680d12ad2d1bba1f84a470c26bfe3e75c2b711c0b6f3ece2149942fe43fa1c9

SHA512
8f3af8ef05f9478048885c464946bbc60f025755953202a8f26036e01e69ac53422a7f5e802e08335548cf50408b6589c66aaafbbdce031ba5e2bafe1e3996d9

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
400KB

MD5
e59461c9ac29a3907fa95692d524eae8

SHA1
8b6b605acda9096c8aa59fd2c7ed579d0c3e9aee

SHA256
15ac05447864d2498502167f0d78cd0ec1cc2a759f415501b22b3dbd29c29e7d

SHA512
e7c6852f26101a514a7e6153ca826f921cd0c76fed995dd749155ca5cd5309e269ba12c418a14c9fbc07b8fbf53c769fe32390c8e36fce08ba1b17f583b08b6d

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
400KB

MD5
50bab935e85c822968462e390be338e9

SHA1
2ec0c842549a072ef058303588ee37cbc94f9329

SHA256
8be572ec91c6028ff8fa05c21eff30b8727ba7d5aaf5c3d00fc5f40f931877c3

SHA512
3ad7be1d1a351f8f0def4e987b26d4f7bf4bd328b67d79946547fdd2a69615d3c477df3ea75837fc1bd79d70624b6d33256947a10a53c999b4d24e789f3ba298

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
400KB

MD5
c104e1b1c6bf546fd0f7482de5b5385b

SHA1
6ff404d9fb353e85577b081419fdf3968c35f85a

SHA256
8ebed903e84ec9d3e6cdcc68e926df6d6d9dc53a606f123aef937b8aeef2ffc9

SHA512
a0d16934b8494377ed041a2b50b012dd2d90b563ccb7bf1c898eb4eb77e68510cf879a13d50d5423eaca92499f2c1830bf0601cd502fc0b743316eee445875d8

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
400KB

MD5
fc0c907ff80378afbfabd4ddaf0c6036

SHA1
f97d12f04a270cd54a13c5b67c384f8edd770b8e

SHA256
9ca735e35ef2bafbb6ef585b3e5b58649aa1d884166c410ff6005296f90b4a1e

SHA512
c14382bd468439a2e7495deb095542455338eb91ee341fbb478a50238ebb9bc19bec57fac55377c677cf03889c493a3286c036c4a3208cf9db4fdf439eebf92b

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
400KB

MD5
2081f4d3c193c203b4d445226fc72dd8

SHA1
3dcd261c799d0c567fc3642d141915814ece6ee7

SHA256
f03526662949aebf28fa33221f40dd4cb6ea303c5164549fe15dc4144a822c43

SHA512
6f739dfc665da46717bb5e79b5d74f7e74180be028ba0c5e6275a010c30ebfbc9b8703086d99ce5703d1845046a4d696a81664ad5ca483e8c7633b20f1315d38

Download Submit
C:\Windows\SysWOW64\Giofnacd.exe

Filesize
400KB

MD5
20bb06b3032e57431c2cde3f6755c999

SHA1
be36e086fe4e209756eded2878cdbb3ba0167c42

SHA256
a7a779c3cc9849951164faf6f7ad4a39d08c1ed66f6e1886ee17b7f81ead6c27

SHA512
1c76309f3ec8baf87ab04c0fed627e47e1694c3832e56918f4f4b3a380a11a0c3d6a282d4ba8111b8d9bf1258fc6274e87df0369a3294f627116ecd5d8da6a8f

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
400KB

MD5
4d496be5a701a78ba365989573b9bc3b

SHA1
fee8987f55cfb668071d332dab19b7c2b5537a34

SHA256
900417651785723ba88cc28afa9b654a0e8c1b9349c089476c9b47e968689ac5

SHA512
f9776c583d99bc8b8ab64777b03d90e2d7267d062db7ff3ee1f320eec3e77a9b57a5779afb98b7c567c0299363a673ae9991b2983e3e4b861b1e7f87a8fad152

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
400KB

MD5
34758e23f3366e605c324f4d04a90f9d

SHA1
3b411a0f2b64022500a8bde9f3238bfa001d8811

SHA256
9d8f8b200c09a9f0ecf66739e79a902cec24548e16a4ac2ba124c7eb9cc5fd96

SHA512
b776edbc574749d1afb3b22d72b425f6add8abf5445233b41ab1ec723122a2e46db8a9532cb6e1d635b5ba0b93587395a17d1379aff90adc0906e1d1307db6f0

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
400KB

MD5
2173a21eace37b9eb84d6304daa0fc8b

SHA1
abddf2e10f1e63d8d5388802c3923be2fa346532

SHA256
97a76e57f16c351fdb561c62f8b08cc538b368131a0f1d44f6afc10ae34751be

SHA512
6fc3605c92ad0206be4b4a7f68e7cfe0b2bd3bca106341993e75de00279a1aac00f75ab911c063856c95c868f6905368359da70dc5b0c6b693897d092b4656e2

Download Submit
C:\Windows\SysWOW64\Gqfooodg.exe

Filesize
400KB

MD5
76154cf67068e91a119c07cae6e46ce0

SHA1
38b6dd76cc9bbace286f569135942fd018ff177d

SHA256
8dfc325470804dcc8b3f2cd5a16529ca8eb60e924b93f247ff86cb4c977d8ddf

SHA512
ad1495b96ce1445c44682b71e94a00d198d751e09723f7225c5be15aef1bad6e4f6052340bc3174a268c39a2cd6c4be785006945ac83f55f60a1beb0306bad9c

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
400KB

MD5
bd0da3b901db13df34cc97ad588a8e9b

SHA1
70ce20ac650e11d2822015389b26597f17e22ba9

SHA256
5d98c62d22e7e32772c913ccf6c4dda65f435a92fe02a85d45bb6ab6dfb3d414

SHA512
8c49d005fa5a69852a77d4c22ceef4d0a2b8a0ef8fd8243331732e61308c6f9d0a46b1011adb24bfe28f73213071cab5c420bfdb6e0d13da88064393e1545eff

Download Submit
C:\Windows\SysWOW64\Hippdo32.exe

Filesize
400KB

MD5
e8da0940cd223567c82fa79e4f645839

SHA1
b7580294e6f61223466a1d308cff7058b61fb7cb

SHA256
e8a72469cba0365f2db95bae2af5331631f8b3b0eb1fdb87b49c538454f5c980

SHA512
6f508ddbd6c69177ca788fabe018d8bb60d83729c54ff5ad567ad6d9f599cd35d080aeaef4da54517472088921cfcfb1ae9372bda15fe1da3bcef8112233c3e0

Download Submit
C:\Windows\SysWOW64\Icjmmg32.exe

Filesize
400KB

MD5
7502544eb19fbc55ef746119dc487789

SHA1
f76f32e1759d7bea2dbd094cdeb4a0ba197c2494

SHA256
fc314bd0f4c912ce1078196129005af5b243e1e34a8703562c80d68a1e5d7905

SHA512
d3105a5e665ea93ccf260701c12dea6e9d53f1c44cd29c198a1e3ee0d4779384849e19085e823e866295bfaf38fce31720705d723d8a595992ac922382cb67c1

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
400KB

MD5
db18dd2914d00fbf03bd746b657bfcba

SHA1
4641e25b07902b05d205d2152ac27edf7bb12f7c

SHA256
9e237978e68b1bfd4c82e5518f87bbc9e115c77213ea683d8d5797ccaf500b53

SHA512
e6f3ade96f4e53f9919bcbc022749200c3804619fdf550fd8c6d80e3cc1ef8687faebe5e0c033c99b13ce7ea9517238be56d0ebc8d5493a1f3a946cd24143c5b

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
400KB

MD5
e6cae65d2413f802336a0064de3f7ae5

SHA1
0def102692b5f430b5cc8e145d7b1789d0f4a2d4

SHA256
7cae5c384601e4067b904a3cec01e4243ac895afc7da12b4f0dc288bc2d9ea34

SHA512
a82d396520b822c474f3f8096e1ec0799b67094e1f9ef05744bf50652094d9820ce881829d12ac07af8d2b226cab708dc6bdb5ad180052012c8d68de5538b6f6

Download Submit
C:\Windows\SysWOW64\Jbfpobpb.exe

Filesize
400KB

MD5
59f360f5f0480f76cb67e09e0ff48814

SHA1
fc331a03a4e8b097d246052a74d68e771504257c

SHA256
2f252b27f54b71cc256cd9b10233953d5e292bf3855a3141c41354174a1320f5

SHA512
f426f7b12cf9086d065b1a428202a8eff6d058c48fd15f191fc0d520c7f4ea02238ae5c6c3a673a7cdaf8ee4df4631e8fcbbbb579f6bd5db1c266a17dc4ad43a

Download Submit
C:\Windows\SysWOW64\Jdemhe32.exe

Filesize
400KB

MD5
42dd8359c127ad962e33ad2577860a64

SHA1
c2580ce05f56fd22659f52ad165d6483f7b8412f

SHA256
9babbadc16f77e325840882033abce3b03758b69dcfd7efbf315e4df62f7d0c7

SHA512
88a49a8a0b58348986fc59da470fb705ff2ae6689836c74c0281954aa7e08470fbfb13822fe3be364ba347f57aa959f0b426faf425417988cf52f87d505c4cb1

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
400KB

MD5
c2b6dfc8826affd6e2b1085c7986139a

SHA1
4b0ef97cf295ccba18368a671c3740ab05f936da

SHA256
edf5df6b68031845fd13a6103488734118d42205dbefb5d77de7318b2351ada2

SHA512
c963acc65d6a2c85495f270786187247de190599525ca1ade5a59a020cfba783dfd2759e97597bafe7cf8369dfb4de30271f3faad8f213b7a03cddaec658615c

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
400KB

MD5
49a9c6f274ad36fae9c45925474d4d74

SHA1
233382fb564c4b349c4ce9c55d30a1ec82e56cdf

SHA256
862cfa53fbcaa7ef8a920c19d37e30d70e277c37ba99671ca9e6641265992543

SHA512
0bd22961891585d4efa865e946f760ef4a4b3c50fbc83604574e20587161671b7fc54fdbfdc196336f18ab73349a88b7573a909b3b9a1846cacd018aa135211b

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
400KB

MD5
3b13ef741f397293605cacf31f8d209e

SHA1
73fcb7ea54fbeeed0d3215c91e27f16ae3fed002

SHA256
47aa78ce8daec4266ef7c4c17b2378f895bdf27439736e24af7fd50f2e4d789e

SHA512
1df8e3cef6d3a1db01657685579536b354e7939fbe6c66aa282547ead31f87745f42234fd9c14344f17ea401a2849af73ffd1c65bcc48f545a0a3f1142e3df19

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
400KB

MD5
c4c57424a19673a38677283f9f73f546

SHA1
2707e873d8376335e56a3e4a64b5051367f5853e

SHA256
d0a184265c99ab035a8a73cca630df913264f943441943e5b8d34d40cdaf903f

SHA512
8859344900863713d1b2be5f70cb86f0ef4d4d721e0679876d4c4a2a7f5a778cca14b9d557f57a92fcad569237b1f66f7352d265c99c72c3df18897edb4803fc

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
400KB

MD5
087d0468dcb21b855792ec6a13f68565

SHA1
5cb0e101b012fb790bbe8fbd644622b7ece63fab

SHA256
6e14747f46af2b09da4f5e2b50c4882f9a46023ff5301fc8e5d3e9e40fc9e20b

SHA512
7d7cc6bd9fbe6a3b2d781454c08654d067e0fdc9e489b172a33f2ef512e3e5fed81e356a7746fbcd86b247d04bcbbb25350424027dd80678f2c6a0a450236d94

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
400KB

MD5
4eb04f62e1a6fb85d4a887bf2ab14784

SHA1
aca0165325c8ef240e3618b3058f4bd5ec056d79

SHA256
1df5cb3a1ee6c7c14fabbbbd8b7e04574d2012410ac8d53bf55a85e7090e59b6

SHA512
836843b83967841d2502946ec75c93ab625f33d1239528c1945e6c66e539e7e16ece0394f1a774b52ca52ac7c1fc2a93c11311e69b77e29eb002167e753a4f8a

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
400KB

MD5
46df6d2a75d0ab75656cb4113a94a71e

SHA1
af7d4cea3127f7e06bfe2eff9bba2c291aa9b74d

SHA256
485f5cdcc3fb3ae3a9d2fed1d76f0dc4f2066af14412b35239c75455d2d63044

SHA512
9b56391d6baa319401196d43780f1a6a7cfaaed7e5a0b79c5fdcb6fb8cdccdbd7d6c2d3c485864e90e9eb485774886e2cf8c23dea87618faba2ce89f66f4a6bb

Download Submit
memory/232-145-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/372-325-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/544-238-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/620-532-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/708-331-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/712-373-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/728-601-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/728-69-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/732-925-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/732-463-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/768-451-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/820-411-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/820-940-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/904-289-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/964-283-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1112-0-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1112-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1112-543-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1120-40-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1120-580-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1168-407-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1232-282-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1384-602-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1420-367-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1432-301-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1464-200-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1580-433-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1596-385-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1636-121-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1720-21-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1720-560-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1776-226-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1808-587-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1808-48-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1880-524-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1884-231-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2008-355-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2024-152-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2068-337-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2072-481-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2196-421-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2248-496-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2348-616-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2384-177-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2416-353-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2520-479-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2560-105-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2680-113-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2680-1030-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2712-73-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2712-608-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2736-457-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2740-271-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2748-623-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2768-391-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-615-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2856-81-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2932-57-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2932-594-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2960-562-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3028-129-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3032-254-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3040-228-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3064-33-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3064-573-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3084-307-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3148-486-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3148-915-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3164-185-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3348-449-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3368-137-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3372-609-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3424-519-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3424-905-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3752-415-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3896-498-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4040-1015-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4040-169-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4128-989-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4128-269-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4268-161-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4272-323-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4272-971-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4352-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4352-554-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4364-401-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4388-595-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4456-427-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4504-567-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4504-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4528-295-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4580-96-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4580-629-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4624-317-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4692-588-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4840-379-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4900-439-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4944-622-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4944-88-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4948-574-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4980-343-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5004-361-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5012-857-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5028-530-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/5064-586-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads