072d1b535fc9eb0b59c3aff17bf304ea03b3ef0daba6c5c3709ad2d11212942c

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 18:24 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

072d1b535fc9eb0b59c3aff17bf304ea03b3ef0daba6c5c3709ad2d11212942c.exe
Size

376KB
MD5

c34193408521163b45562746386ad8b9
SHA1

169359a5d84f65b575b2a136fe7184df29ddbf15
SHA256

072d1b535fc9eb0b59c3aff17bf304ea03b3ef0daba6c5c3709ad2d11212942c
SHA512

e5e08932f36908a27abc6e65c72575b18acfd99574ac8c5ba34f02114fa698d780c731241acde25081b46c42e9c030b1dce3e538edf97b2fdd3a8f776b3e5c3c
SSDEEP

6144:6C4MERy0GC7oQ0IV/Atl/AtW1OE43V1+25CzRoQ0Ibl4HdE43V1+2:t4nRyc50I2mi4lCzb0IF4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhdmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijfboafl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbioei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iinlemia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Giacca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hccglh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpccnefa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gimjhafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijkljp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpojcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jangmibi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjlfbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibojncfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjapmdid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfljmdjc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	072d1b535fc9eb0b59c3aff17bf304ea03b3ef0daba6c5c3709ad2d11212942c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjqgff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe

Executes dropped EXE 64 IoCs

pid	Process
2112	Ehonfc32.exe
1288	Ecdbdl32.exe
4052	Fqhbmqqg.exe
2636	Fbioei32.exe
1240	Fjqgff32.exe
4136	Ffggkgmk.exe
2056	Fmapha32.exe
652	Fjepaecb.exe
2040	Fobiilai.exe
1128	Fbqefhpm.exe
4476	Fjhmgeao.exe
3124	Fmficqpc.exe
4856	Gimjhafg.exe
2176	Gmhfhp32.exe
5044	Gbenqg32.exe
2160	Gjlfbd32.exe
4244	Gcekkjcj.exe
464	Giacca32.exe
3360	Gpklpkio.exe
1060	Gjapmdid.exe
4044	Gcidfi32.exe
1116	Gmaioo32.exe
3152	Gppekj32.exe
452	Hmdedo32.exe
2752	Hcnnaikp.exe
1308	Hfljmdjc.exe
2052	Habnjm32.exe
2388	Hfofbd32.exe
1076	Hadkpm32.exe
3460	Hfachc32.exe
3032	Hjmoibog.exe
1588	Hmklen32.exe
740	Haggelfd.exe
568	Hbhdmd32.exe
1684	Haidklda.exe
2788	Ipldfi32.exe
1384	Icgqggce.exe
4460	Ijaida32.exe
3912	Impepm32.exe
3008	Ibmmhdhm.exe
2020	Iiffen32.exe
3280	Iannfk32.exe
2956	Ipqnahgf.exe
2736	Ibojncfj.exe
4704	Ijfboafl.exe
4428	Imdnklfp.exe
1556	Ipckgh32.exe
1216	Idofhfmm.exe
1332	Ijhodq32.exe
4960	Iikopmkd.exe
4148	Iabgaklg.exe
3840	Ibccic32.exe
1404	Ijkljp32.exe
4420	Iinlemia.exe
1560	Jaedgjjd.exe
4276	Jdcpcf32.exe
2968	Jfaloa32.exe
1492	Jpjqhgol.exe
3196	Jbhmdbnp.exe
2408	Jjpeepnb.exe
1648	Jaimbj32.exe
4700	Jdhine32.exe
3264	Jfffjqdf.exe
212	Jidbflcj.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hdgohg32.dll	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Bkmdbdbp.dll	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Gppekj32.exe
File opened for modification	C:\Windows\SysWOW64\Kpepcedo.exe	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Ipqnahgf.exe	Iannfk32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jpjqhgol.exe
File opened for modification	C:\Windows\SysWOW64\Jidbflcj.exe	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Fibgnfha.dll	Fqhbmqqg.exe
File created	C:\Windows\SysWOW64\Idofhfmm.exe	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Ceaklo32.dll	Hmklen32.exe
File created	C:\Windows\SysWOW64\Fojkiimn.dll	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ijhodq32.exe
File opened for modification	C:\Windows\SysWOW64\Fqhbmqqg.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Jpckhigh.dll	Gimjhafg.exe
File created	C:\Windows\SysWOW64\Mngoghpn.dll	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Jdcpcf32.exe	Jaedgjjd.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Fobiilai.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Fjhmgeao.exe	Fbqefhpm.exe
File created	C:\Windows\SysWOW64\Giacca32.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gmaioo32.exe
File created	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File created	C:\Windows\SysWOW64\Ipckgh32.exe	Imdnklfp.exe
File opened for modification	C:\Windows\SysWOW64\Ijhodq32.exe	Idofhfmm.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jjpeepnb.exe	Jbhmdbnp.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Gcidfi32.exe	Gjapmdid.exe
File created	C:\Windows\SysWOW64\Jpjqhgol.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jbocea32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kpccnefa.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Fjqgff32.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Haidklda.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Ijaida32.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Ijaida32.exe
File opened for modification	C:\Windows\SysWOW64\Imdnklfp.exe	Ijfboafl.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Fqhbmqqg.exe	Ecdbdl32.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gpklpkio.exe
File created	C:\Windows\SysWOW64\Gcidfi32.exe	Gjapmdid.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ijkljp32.exe
File created	C:\Windows\SysWOW64\Kpccnefa.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hcnnaikp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5832	5740	WerFault.exe	198

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phogofep.dll"	Ibojncfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehonfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibmmhdhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjpeepnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkfpkkqa.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfofbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibmmhdhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblilb32.dll"	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijhodq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmfdgkm.dll"	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilaidmmo.dll"	Gmhfhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkeebhjc.dll"	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hbhdmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijaida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndninjfg.dll"	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpojcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbocea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Habnjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fobiilai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chbijmok.dll"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddbig32.dll"	Ipckgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmaioo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmeid32.dll"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpklpkio.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 2112	3420	072d1b535fc9eb0b59c3aff17bf304ea03b3ef0daba6c5c3709ad2d11212942c.exe	81
PID 3420 wrote to memory of 2112	3420	072d1b535fc9eb0b59c3aff17bf304ea03b3ef0daba6c5c3709ad2d11212942c.exe	81
PID 3420 wrote to memory of 2112	3420	072d1b535fc9eb0b59c3aff17bf304ea03b3ef0daba6c5c3709ad2d11212942c.exe	81
PID 2112 wrote to memory of 1288	2112	Ehonfc32.exe	82
PID 2112 wrote to memory of 1288	2112	Ehonfc32.exe	82
PID 2112 wrote to memory of 1288	2112	Ehonfc32.exe	82
PID 1288 wrote to memory of 4052	1288	Ecdbdl32.exe	83
PID 1288 wrote to memory of 4052	1288	Ecdbdl32.exe	83
PID 1288 wrote to memory of 4052	1288	Ecdbdl32.exe	83
PID 4052 wrote to memory of 2636	4052	Fqhbmqqg.exe	84
PID 4052 wrote to memory of 2636	4052	Fqhbmqqg.exe	84
PID 4052 wrote to memory of 2636	4052	Fqhbmqqg.exe	84
PID 2636 wrote to memory of 1240	2636	Fbioei32.exe	85
PID 2636 wrote to memory of 1240	2636	Fbioei32.exe	85
PID 2636 wrote to memory of 1240	2636	Fbioei32.exe	85
PID 1240 wrote to memory of 4136	1240	Fjqgff32.exe	87
PID 1240 wrote to memory of 4136	1240	Fjqgff32.exe	87
PID 1240 wrote to memory of 4136	1240	Fjqgff32.exe	87
PID 4136 wrote to memory of 2056	4136	Ffggkgmk.exe	89
PID 4136 wrote to memory of 2056	4136	Ffggkgmk.exe	89
PID 4136 wrote to memory of 2056	4136	Ffggkgmk.exe	89
PID 2056 wrote to memory of 652	2056	Fmapha32.exe	90
PID 2056 wrote to memory of 652	2056	Fmapha32.exe	90
PID 2056 wrote to memory of 652	2056	Fmapha32.exe	90
PID 652 wrote to memory of 2040	652	Fjepaecb.exe	91
PID 652 wrote to memory of 2040	652	Fjepaecb.exe	91
PID 652 wrote to memory of 2040	652	Fjepaecb.exe	91
PID 2040 wrote to memory of 1128	2040	Fobiilai.exe	93
PID 2040 wrote to memory of 1128	2040	Fobiilai.exe	93
PID 2040 wrote to memory of 1128	2040	Fobiilai.exe	93
PID 1128 wrote to memory of 4476	1128	Fbqefhpm.exe	94
PID 1128 wrote to memory of 4476	1128	Fbqefhpm.exe	94
PID 1128 wrote to memory of 4476	1128	Fbqefhpm.exe	94
PID 4476 wrote to memory of 3124	4476	Fjhmgeao.exe	95
PID 4476 wrote to memory of 3124	4476	Fjhmgeao.exe	95
PID 4476 wrote to memory of 3124	4476	Fjhmgeao.exe	95
PID 3124 wrote to memory of 4856	3124	Fmficqpc.exe	96
PID 3124 wrote to memory of 4856	3124	Fmficqpc.exe	96
PID 3124 wrote to memory of 4856	3124	Fmficqpc.exe	96
PID 4856 wrote to memory of 2176	4856	Gimjhafg.exe	97
PID 4856 wrote to memory of 2176	4856	Gimjhafg.exe	97
PID 4856 wrote to memory of 2176	4856	Gimjhafg.exe	97
PID 2176 wrote to memory of 5044	2176	Gmhfhp32.exe	98
PID 2176 wrote to memory of 5044	2176	Gmhfhp32.exe	98
PID 2176 wrote to memory of 5044	2176	Gmhfhp32.exe	98
PID 5044 wrote to memory of 2160	5044	Gbenqg32.exe	99
PID 5044 wrote to memory of 2160	5044	Gbenqg32.exe	99
PID 5044 wrote to memory of 2160	5044	Gbenqg32.exe	99
PID 2160 wrote to memory of 4244	2160	Gjlfbd32.exe	100
PID 2160 wrote to memory of 4244	2160	Gjlfbd32.exe	100
PID 2160 wrote to memory of 4244	2160	Gjlfbd32.exe	100
PID 4244 wrote to memory of 464	4244	Gcekkjcj.exe	101
PID 4244 wrote to memory of 464	4244	Gcekkjcj.exe	101
PID 4244 wrote to memory of 464	4244	Gcekkjcj.exe	101
PID 464 wrote to memory of 3360	464	Giacca32.exe	102
PID 464 wrote to memory of 3360	464	Giacca32.exe	102
PID 464 wrote to memory of 3360	464	Giacca32.exe	102
PID 3360 wrote to memory of 1060	3360	Gpklpkio.exe	103
PID 3360 wrote to memory of 1060	3360	Gpklpkio.exe	103
PID 3360 wrote to memory of 1060	3360	Gpklpkio.exe	103
PID 1060 wrote to memory of 4044	1060	Gjapmdid.exe	104
PID 1060 wrote to memory of 4044	1060	Gjapmdid.exe	104
PID 1060 wrote to memory of 4044	1060	Gjapmdid.exe	104
PID 4044 wrote to memory of 1116	4044	Gcidfi32.exe	105

C:\Users\Admin\AppData\Local\Temp\072d1b535fc9eb0b59c3aff17bf304ea03b3ef0daba6c5c3709ad2d11212942c.exe
"C:\Users\Admin\AppData\Local\Temp\072d1b535fc9eb0b59c3aff17bf304ea03b3ef0daba6c5c3709ad2d11212942c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\SysWOW64\Ehonfc32.exe
  C:\Windows\system32\Ehonfc32.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\Ecdbdl32.exe
    C:\Windows\system32\Ecdbdl32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\Fqhbmqqg.exe
      C:\Windows\system32\Fqhbmqqg.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        25⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        28⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4328
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        35⤵
        Executes dropped EXE
        
        PID:740
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:568
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        37⤵
        Executes dropped EXE
        
        PID:1684
        
        C:\Windows\SysWOW64\Ipldfi32.exe
        
        C:\Windows\system32\Ipldfi32.exe
        38⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        41⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Iiffen32.exe
        
        C:\Windows\system32\Iiffen32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4704
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4428
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        52⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        53⤵
        Executes dropped EXE
        
        PID:4148
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4420
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        64⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3264
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2748
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2228
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:556
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        75⤵
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        76⤵
        Drops file in System32 directory
        
        PID:496
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        78⤵
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        79⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3472
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3548
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        83⤵
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        85⤵
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2284
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        88⤵
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        89⤵
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        90⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        91⤵
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        92⤵
        Modifies registry class
        
        PID:3220
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        94⤵
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        95⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2080
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4820
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        102⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        103⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        104⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5260
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        106⤵
        Drops file in System32 directory
        
        PID:5304
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        107⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        108⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        109⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5524
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        113⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        115⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        116⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 400
        117⤵
        Program crash
        
        PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5740 -ip 5740
1⤵
PID:5812

Network

DNS

64.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.159.190.20.in-addr.arpa

IN PTR

Response
DNS

210.131.50.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

210.131.50.23.in-addr.arpa

IN PTR

Response

210.131.50.23.in-addr.arpa

IN PTR

a23-50-131-210deploystaticakamaitechnologiescom
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
DNS

205.47.74.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.47.74.20.in-addr.arpa

IN PTR

Response
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fb58045383fd4d49bd0a2058004bd408&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fb58045383fd4d49bd0a2058004bd408&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=07D4C1E6A41A64110567D578A5FA65EF; domain=.bing.com; expires=Wed, 09-Jul-2025 18:24:45 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: DB386E0EF3D04259B84BA5DD062A9C57 Ref B: LON04EDGE1213 Ref C: 2024-06-14T18:24:45Z
date: Fri, 14 Jun 2024 18:24:44 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fb58045383fd4d49bd0a2058004bd408&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fb58045383fd4d49bd0a2058004bd408&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=07D4C1E6A41A64110567D578A5FA65EF

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=JHAIlyak9C1dUGZvQCuqgNr6LYRDxQSr8Yj5QVIA1xw; domain=.bing.com; expires=Wed, 09-Jul-2025 18:24:45 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D7BBAA53F259482081B5BDADE25EC675 Ref B: LON04EDGE1213 Ref C: 2024-06-14T18:24:45Z
date: Fri, 14 Jun 2024 18:24:44 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fb58045383fd4d49bd0a2058004bd408&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fb58045383fd4d49bd0a2058004bd408&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=07D4C1E6A41A64110567D578A5FA65EF; MSPTC=JHAIlyak9C1dUGZvQCuqgNr6LYRDxQSr8Yj5QVIA1xw

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 0E8FC351E3294341BFD4D6D8A421CF27 Ref B: LON04EDGE1213 Ref C: 2024-06-14T18:24:45Z
date: Fri, 14 Jun 2024 18:24:44 GMT
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

163.126.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

163.126.19.2.in-addr.arpa

IN PTR

Response

163.126.19.2.in-addr.arpa

IN PTR

a2-19-126-163deploystaticakamaitechnologiescom
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fb58045383fd4d49bd0a2058004bd408&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid=

tls, http2

2.0kB
9.2kB
21
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fb58045383fd4d49bd0a2058004bd408&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=fb58045383fd4d49bd0a2058004bd408&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=fb58045383fd4d49bd0a2058004bd408&localId=w:12D800F8-5EB4-CAF1-6CA7-FE64B9B0CF8B&deviceId=6825835407611525&anid=

HTTP Response

204

8.8.8.8:53

64.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

64.159.190.20.in-addr.arpa
8.8.8.8:53

210.131.50.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

210.131.50.23.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

127 B
308 B
2
2

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237

DNS Request

205.47.74.20.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

163.126.19.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

163.126.19.2.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
376KB

MD5
c2c1bcf4efefb6a732cdd6b0f79cdf3f

SHA1
1d8ad006df69751d749055a70218a380aecc0083

SHA256
8292d1eaf56eafcb4387fb4e1380cf406a4b67f946cbf23dd7c65615607f2af2

SHA512
8c66cac950fda24cfca951fe3d0c8be4c22f609127622133d36306079155cbc27cdde713b86288f6230158ee72958200b432d5a07d86f351d6f78dba1c12e163

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
376KB

MD5
3741a3e442c47c585ed07c456c4ca6e2

SHA1
00d8f282663671a813bcd13992037b1b1e87f1d8

SHA256
40095f8c7188c1839e99681a2a25531e8951395742c68716955d36f998c1895e

SHA512
fc63b13f17589c2f846e16897fb54967b2470db55545262af2ec0e66ddb488a393bf8c012e21f7bd5f4012421f16f5b537d41eb51ebd200cfa81a44baa950a91

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
376KB

MD5
ea76af8d1ce3cab69cb94889002103ff

SHA1
cff62dcd12c5c25991128f5a57aa0d9c3551def5

SHA256
ae9660bb96ba8b0279b5e2eca455c393baebd9f865647a546bd76dda40f24a1a

SHA512
466933411dc175f456c8cdf10dc5ecc5374e25234cbdcba895055435a31fbcaab92ca789696798a93b803d8f254427b3b4e871c4b20c89f5643d36f8ddf8a760

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
376KB

MD5
ae6680fabc2917e917dfdadae6dba6dd

SHA1
a40b395b8e6e570996db0dd6ee96a5ec6a22d10f

SHA256
0c70ac69710458e7788a6a5ea7a75c5be634d28285a492e1181b69e50e5c7b21

SHA512
f5b82ad81bb472856e8d54156bd04d0dbe61fee28436db32b3b47b0b8374bc899d6c1cf14f33b835385a0bafff0dcea0b675cbde049f01c7b2b65648b36c4499

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
376KB

MD5
83646a8d595245e49afb6ce8281f36c3

SHA1
8637e09713d81c5554684d914f7753ad2362911b

SHA256
22307b2024fc6a62fbdcf34fea0cd6ac4738e671120c5561bc0e1042e5113860

SHA512
8b13818ead7c78819b421af54e5c5c007f0a830381ca4ff59e5da4d74de35bfec98c1ddd7c354d27c92d1ecf9e1290bf1e2d7821bb651e63268fc66db8e67d41

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
376KB

MD5
e46e60ec9b27e6c8e469a087cd09b11e

SHA1
fa262c3b04851dbcf20f17a02eda66fcbadc86e1

SHA256
bfb4128f2fd04a18659738bb75f79e1712eb1ba7cee0a553a52b5c8e904fec91

SHA512
46b847212a2b16a0390fb3690a3b2fc095b94d01145381a1a44c8aadf12155ae84635635b327cf4bc8d102fef51771f032543483fd93eabe21cdc0a85803d3e0

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
376KB

MD5
56cca8f435eb3c35aec75a17b370a37a

SHA1
8f38d9647309c3411bcb2f49264753766c86897c

SHA256
d4a226107ef04b670757aca5a00fbacec01e3825252cfc8e1299782f9658aa54

SHA512
ceb0159c15387575cb7ee7fbd8e103ee92dcfca26f24f5b75b8c55850339a3c7d7d415dd7e93de5e2a39f73365d8fb1225c22a972b7c39c0f362e8c8167511bf

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
376KB

MD5
aa2c8ca4de8a6c36e5e1d6a6368ae45d

SHA1
e8e2d4200d3f6fb40755606ed2766ed9f545b3ff

SHA256
e2d57e6b92818a8b308179195edf653cd4ffae52cc97618d09ea7ba5292c8ab9

SHA512
02fa5e1fdadf543eab71969c244b71cefd39be9a7ec9e0965fb91f86172960adacc83d4eb228f1d08c8eae311cba9dc96edc7d6432d19de3cd12644c472f0bba

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
376KB

MD5
46410bb2d97ba3102f39057d66bf8fd5

SHA1
dd566da92916ef182dc7ed30b5a84e1837b58939

SHA256
27b3d3cbfedd16fb6074a120cb637f6c5a9f4b07e82531ce5c155cf4225cc763

SHA512
380afc7e1dca7693f5bb45bb4450bb9d9bc667df58c76f04d34521ce77745e527c958ecc0d61e0290cf8a278f7da1f7fae7fa6a37ee01825a6484f5964b34a7e

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
376KB

MD5
f318779112b11ef057cec5a6dbe6a76f

SHA1
ed302d974c6a00b75d07340bd175b4eb1fecf571

SHA256
eb63377d1223f1038b3832260ce098a01151417cdfed8d18f626ad1358f86762

SHA512
dc8a55cd070296f404613c0268b8bbd582e49720b5702371fe73716edbebb0fc6f0d75ba7506b2cb8663bbaf8bab88de7783c076d211dfd6de828fc5be56753b

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
376KB

MD5
0cb6102e6e426717c3c5a00a8884dab9

SHA1
77047cfb7e054200d905871ad64cce9e2c0c2aec

SHA256
22412d596c7795d9e6194708dd541ee32d9230f52c1f241ab30ae6e25e3f0cf0

SHA512
796c6e800c62cff6a80d659dd5676707ab113d5f71f06b868440f0e5eed8d103ccdeceb89c52bc98c752d025a374ce48c2b8f622d0dfd4b2d0a5061f62e02505

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
376KB

MD5
3902c28392dce47e0ffccf04c2c589c3

SHA1
dd258affd39f8cc78d0f1312378866bd526c75d4

SHA256
e6b5e4d1242a4d9a1175dbc43338636e6c28389c1bd1c2738f6e358c237296c5

SHA512
fce09a15c17e7c7d2161d70a152901eaf62541810a6aab042b432aaa55f7cc32a60352630ee59097d09ca732e3ae356c9e9b07b156516c84be0c8bcfc9b3693c

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
376KB

MD5
f72e2c7e29474a3585dfd41e31fff1a1

SHA1
3f389d867921411d3f6de200b0a49efed3fdcc84

SHA256
91d674ed748b8acf1b90f6910170908ab4ff07159b81beb1652ed021569e9fb2

SHA512
4db691f0a0b2a7473b5c6efd7579098923da0068edad9144b08fcb9f6483e298cf68bd13e4171a6ce65979404ed86481169db6883afdb3188ada668d30c1d680

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
376KB

MD5
b5317b33fa1ad4b8ae2d32dccfd891d4

SHA1
bdfd79ccff798a8d9ffd18f67e4768b42f2709df

SHA256
f1d9eeb6b0fee1535838ddf714c1bda006279804ad418527fb693e5f99fd611e

SHA512
381759f830e80e768c0cbb5b043304d658bace4670f26e5de9e466c23869fe9bd2f8c31787f08d39a61cf8b015de0cec7d171837e74b628241b79de194e38325

Download Submit
C:\Windows\SysWOW64\Gcidfi32.exe

Filesize
376KB

MD5
107a99dfa69107c4c2f0b354ef37989f

SHA1
84920100c7e21baec82bf5f51e37174b1537e24a

SHA256
f00553c10320927cc44b0b2e605595204e8df1c16a402d6544747cd806b227fa

SHA512
f5bc23d7a8c1ddcbed880b613249b58c17e877497eb7c1d54c63a0a89f061734519ee8cb89a97e277cc5c01bc2a28446ad246308c21600c1be38111aa06304ee

Download Submit
C:\Windows\SysWOW64\Giacca32.exe

Filesize
376KB

MD5
785255cb907c3bef19f42c440acfdd93

SHA1
d79402d25fdc51226459254ed5fffe4d8fe780c1

SHA256
7272a1f3b0b4f6c03ae813ad99cad92d9465f849f8dc81325e09c85cf4063582

SHA512
e1c9ad3a35a5fc1c8f19e181c5da1d7a3989fa1fb037004f8667f4b09aafa118269cd01c1b7b6c2f833d307b02f887705c30ab6389e8edf977455f0ec6b4db79

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
376KB

MD5
fc9e2c7620d90d54d703a8f7efd6795b

SHA1
4053e89d2431529241d7f5bce9ec5c64de70878f

SHA256
9aa35873101366dd7837762fdcf45cd97442d20b5112aa28dfd291636698ceb7

SHA512
12cc02b18ad9c5a2461036b48ecdadeb963d011c1e6238950f4454c470e789b1965073c85d9cc5fcf28cda5bc58e232657a37620805e9674e67f331121629db7

Download Submit
C:\Windows\SysWOW64\Gjapmdid.exe

Filesize
376KB

MD5
a684c55366ac2fc502b0c92381cb0c3d

SHA1
c044eab2e2d0f69a37b400b240f8c2c04afe811c

SHA256
fc654ff5d4211a76a6d2a1d09b716765195324565e589d931f1323ebe3b43aae

SHA512
354a2afda106299321ea077d438b3216f0c074751401d7abb528826832482faf94d315f4f574308d60723589dc0ed255fd3feb5f425e704af083be0f5cf4faac

Download Submit
C:\Windows\SysWOW64\Gjlfbd32.exe

Filesize
376KB

MD5
17f2d25bae0d7742316acaf93acfc16b

SHA1
154c90ace6282ae83b536624090fe56673161d7d

SHA256
d29c7598ed32a43bede834b87fba5b4b05b010bc8d4e24c7ce7dc3838e486183

SHA512
4da52db6f87e6e6611ca75f5704eb1f2dfe513349b6ca83a888e1739d006c65b0d8169c69ef74e44ceea03f7b220c659b9024c04e5da3eb809af2d22c16903a9

Download Submit
C:\Windows\SysWOW64\Gmaioo32.exe

Filesize
376KB

MD5
922c916ccde724b8578e543a833b4622

SHA1
96c7d10bac06111d726e90ac16b5518cdf7a934d

SHA256
5a2792b80bb15ef2fc5c4b51e89556e33ea305ba0eb0574ce4381989811271d1

SHA512
2ed81980ff9e8a61f82c7694fcf860f79144e2d967427558c93ae275a0f04bbeb6dc6a5d4616b45d37a078acea84df4100f0f44803cbbda0f2e152838192fe2a

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
376KB

MD5
f9a5b262cd93c9077f09a160cfc7a057

SHA1
b4e1a22afcf5bf4a47d77958e0adf5118565f436

SHA256
32d79c977834612a0c096c7e0d516d31d0ab0f9e4446650a0b3e2d2219904248

SHA512
42d0db5636ca7d4d504c17c9538e771ca6c21d0004c1131e42260c5f7704f60057ec07b2b33f16ac453b7d450570dbf2858f374aff1d5abbbca682ae1ca2fd20

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
376KB

MD5
ed3d7e40b996c21ef92d0d6699ea2fcb

SHA1
4fff759941913a72c5c869d6faf9d1f288d3e039

SHA256
5afa555b48bc37c76e19c8c1184939e6accca4ee9c8098a3a678808dc2ca7bc5

SHA512
aafe156d05c497e56e6d3ac0a2aa0575e8d7a63111730114d08c097cf1362655565ab9517ce9121cd4b1bf779781534d92b4a883606ff59408e7d8356ad3fcae

Download Submit
C:\Windows\SysWOW64\Gppekj32.exe

Filesize
376KB

MD5
c870830c40f9513ad5dfa9d474c43a85

SHA1
af3bebd3a2c29ec0f56aad5b74aa9209a7aa059b

SHA256
e29b71acd135667d3c4488896968b21a424de43fa4dbd0f9e96bf1bb6035ea7a

SHA512
45e922c6497b9fac77d1921c56ceca4611e6691ba6c7c648ea91a856ef24daa8eca952f6fe9391367d1c538016ea39f8fe8facfe1725b74a431ccb5a4f657937

Download Submit
C:\Windows\SysWOW64\Habnjm32.exe

Filesize
376KB

MD5
bcbe0ebb265ded2945b88973b9372f0a

SHA1
d00ea1c87f3e23c35447cfe40e70ac5727d4dcad

SHA256
6bc9a5bf6663c03f2829a8d3ab71888fb9d1d5c3f8c79fad0c0f2a69784a0829

SHA512
e01f627c0f97d3ac8fa32e4e29dbc582bea6ac874892f9450eaba032fac280c8df5fde9ddf5e5d4be59888695b4f7d25d56534034e1d8f5c0c6e957657783d8b

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
376KB

MD5
3067712d77c786420ca5e25d72fed321

SHA1
f5dbc9b1e3bfd49851c50c96034e87b04366c943

SHA256
766ee85c5039efd6f263f1663f28eb54f2c1f905c43a6564d0b7311a8457d6ff

SHA512
7c999d2873e719b74d569b186eaf0d62f9a3a4fccdb58b123ed09c38ef4e1fcaf9824a3323db5327cb0785c5a0d1b755730a506fb00cb717af05b05081c1c32a

Download Submit
C:\Windows\SysWOW64\Haggelfd.exe

Filesize
376KB

MD5
c06dec0485a3babd376229f21a72834e

SHA1
e94ebe992b21c17b0d14dcf1a602617ded1ea3f7

SHA256
2911e0a043f1e0e909e7eca270f766bfd1d5f8e79f8c125c5d2d4e655200f8dd

SHA512
a270d420a6d5d4d31c9d7bd1e6ee737349432ef3bd48a911cb3f215f337a7aa5976ff84ad0b4bec8cc197bffedc418fd5674efa2a0b43b6bb41901e597d71f12

Download Submit
C:\Windows\SysWOW64\Hcnnaikp.exe

Filesize
376KB

MD5
aa7f312893b20230b7756bb1ea329de9

SHA1
cdff47425f634555a98491b267fd40c11f601c96

SHA256
110b724ec93aed6431531d6d8d8615fbaa24acbf22608d74efac035b455c57bc

SHA512
7f49f6495457ed96d6654c2a15968112a71953ff076314e52e1da0eb55000bfeb7989c3c31c06d88582f42088fceb51a922d7c11da968520f936086647e722d4

Download Submit
C:\Windows\SysWOW64\Hfachc32.exe

Filesize
376KB

MD5
f0062674c547cbeb9a5dfec7932d1f53

SHA1
603b6d269d3ce15b467f2d0b3541532793a51311

SHA256
11b2720c849cda9ca8f62e7fdd9be25f8622a34ce3b167446f798508dea4a299

SHA512
434b473f06c430a500adec8923c1549478b7e95e8c46da51b6eabd143d96ebb1bd36d40b459d58ba6f6102c309dde65e10eb64adb94bb4740e15c0a5bb315def

Download Submit
C:\Windows\SysWOW64\Hfljmdjc.exe

Filesize
376KB

MD5
1b56ef835a738ba001b5e287d65a79cf

SHA1
26cdb1ecb64f2449f09ba5336eec4f0ba6f54e6e

SHA256
5f229fb46172572279d3b6644e6cd5c0cab4ef5c9cd13039c5efca1d9f428dee

SHA512
568b44778174c0e20be2bd2be0ea1a92baf55f5f45c559a9a5d2264ff1c96a6c1a09d62599e30f5e9f17ebdb07596aef65714d2acbea4d20aa7a38be54bda588

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
376KB

MD5
1e224159e8dc050204c0fd600b924a7e

SHA1
64b821d25e5aa79a4cb1741c507ec6a7925ce41b

SHA256
6cc5285932a8da72b01f492f62303f49edf0c4b7ef067fc591509b04f61b0a50

SHA512
3dfc21dffa10eeaa100f48aa88b9c28359fe50690f66da6b22f9a2d5718ee75f1ece39a416976e1544e4057ad1b3a8d70db59699b5292972549a89fccff319ae

Download Submit
C:\Windows\SysWOW64\Hjmoibog.exe

Filesize
376KB

MD5
4519a71127a8b7898f9a50984291faff

SHA1
d0e48a480cc53e6d9685528eb24c895ade5705ae

SHA256
56cb561cdbe40f08325cb66384c8048f1437c0ef2ce0d7499bcac5f9906f0a0e

SHA512
0114fccdca6a2e591cb3e26261abbd6d60115735c7174da88e00a88ffaf19c85f0df0ab31c442b4c405a5361afc4976fd81b2deb818a41fcd0474f989a57dbbe

Download Submit
C:\Windows\SysWOW64\Hmdedo32.exe

Filesize
376KB

MD5
c27a60852efdceb0ff9c8b23fb105ad2

SHA1
cc4e2785c93b6529d8b94233bed60ba5d05e816f

SHA256
2f67fe773c5830e3568e9b1953547075477e03bda12c09d38cf8114217a85c81

SHA512
52902d063fe756a8b31b2b4e87f55159f7245da0c873ff0040dd3358a1e504167c24114111b79831139b31756d0c237f1b87003a3bc0d14908afcd441fc634ed

Download Submit
C:\Windows\SysWOW64\Hmklen32.exe

Filesize
376KB

MD5
388a85f56d496139e8fece9d5e65a020

SHA1
6d4de7d6722687ad2a17a7f2d61b37b06172d7a4

SHA256
5bf4c6fb7865e62662e09de683afe178a88a7a658ce981f134656d921422ce3b

SHA512
37b433c7f4dc39acf09bc546951ac3040fd4d47713b4020330d3416b8e50584548aa7a331988d8417fc91dd2381a5d1ed227c230d680cf41cb9bb52ae669c28b

Download Submit
C:\Windows\SysWOW64\Ibmmhdhm.exe

Filesize
376KB

MD5
726310ef21d7185e9d183cc8cbec583f

SHA1
8fc77f8846c721ae0d37236d4a5ac671199245f4

SHA256
d887d3d881affba157b3dff152d79d90245ebd246a5e372cf26a5f307cc10d6a

SHA512
0d2ffbe7e48611a66ba992bea23f3d8d4152f2db67fd10ef6f258800b98312ef7661132a7e1a34d2de950770d5520bd8f14fc767dfb87c18d069369eda5d942e

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
376KB

MD5
41b3bc1e3251253f06c7a264722c0e17

SHA1
205a77ad532f90158e66deb8f8695ce648fcce48

SHA256
8af8b8f50dc6a959f04b9643c6839ccbc2dc3f840d2fb5f05580e55914ddb472

SHA512
299ea70e6251295415510f1155da651c0393b3ae340ca986e70aae8784bf1a16bdbaf69beab0d9038c235514efc0a772a0553ce996900e24a5954e36e8ef7c41

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
376KB

MD5
0b5b1c1d11f7c021f6d9d0236d0723e9

SHA1
eb112c52ef496017381e18880750b11d2463a385

SHA256
150c1db82ebb52f0fbaab0fbdf2318d70c8c51f85230b1f5feab08c17b1ca784

SHA512
c4e76fdfd90c5adca7ccbb94bd115d3eb1c360765900dfc4e4511b2f8da3f74cc549d3764a228351f45340fdf5dedd379d91c71ec74bfb80dc09ccc40d497ad8

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
376KB

MD5
17458dd3ec109a53d9a7e3492da3aeeb

SHA1
150dace0326eb08516dad40c8810fb3ea7441371

SHA256
3d1f32a7e3582fa93377d42008709405fa18df75124a33a2395125a96f20f751

SHA512
3ce2e87fcf27c22ed4d8e91d1ad7679ba2f2bdeaae5a20a6d3556599e15b1fe6db061b47872757be1886c152ba5925117b8f91698c91aa0ec7e085dc39cc1b14

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
320KB

MD5
426da223fffef0632b3266d947372ce8

SHA1
b4ab97c720bae6666d4fb9c855004cf6d5d2f755

SHA256
4b2377feedf00cfda88587c6b6dbf16b19f6b72cbea037d1cbd2f8a3ff44c4df

SHA512
2ceb4d9a50fb83741a50680033e408947fc1003b0493a97d385df3b904eb9a83ba6e984650f1ec7e4aed8fc5bc2002bdf4ee968f2dccb4b8992e0c8997531ea2

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
376KB

MD5
c6587e704d6015f6baba4b10ff772cc9

SHA1
43cc05541ac23add675bbd4c1e45fef4bbe488d9

SHA256
97def7b5d9fd9227309c5224b2b308b779c3e8895cbb09c0489bc253c2bf395d

SHA512
7711ba57bbc78cf09d0686a7eb3371767b906d9dec7c61733b5de2a5d6f5def63e001abb652ad039c6c59a55cc621796a16a93bc0cffd597a22fabd45f27203f

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
376KB

MD5
c9e1da66ba0c1ee7a4856bfc7403dc73

SHA1
af2306055121b3e1258207c0043b00307be0bb55

SHA256
005a290243f6333babd8a1d1d2e8fac3dd6a8fd2d8acff49161755d2e9db8315

SHA512
34a02ea93724e9c1371d7fbb942143ae0182103b3acd3d2f775770dd7d96b3240c1c35b2558cd81a655b7345b7c01a0d0fc589fe32cc96d001cd13ce59eeeb37

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
376KB

MD5
5872c8d85b93c9390c9b3bdcb0c6a043

SHA1
bb6e91b3b1e7ec8566ef0404b0e93c076cb17465

SHA256
98ae800561367decfc6e0d1ff443dc649be588b1fb546a6b3e390045ecb94fa5

SHA512
4a00f794e8ffb4d05b509b67fa7232b6d709236536e5cc2be879f27ab78b35fc3d2e94e9f29b2f6cb9bef48cc11322e9a4e087c1e5c8510b4d8472a13a6ccd66

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
376KB

MD5
1f167eaf3c475e15013561dbdc787fea

SHA1
cb68f86e3b7e2da514e98f6e269b4b84d41011fe

SHA256
c8a101d10fcede4606ad93c9368306aa5851300d28c025303dfee6f41dc8b95a

SHA512
acedf53e052ca23abd4628097196f10f074009595b149578dd8f78bee79ba47534a88e7fa7136eae992c7ee1068a413e168901057f711d7b08126c40110ab5a6

Download Submit
memory/212-439-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/452-192-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/464-144-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/496-498-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/556-487-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/652-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/652-593-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/716-541-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/740-261-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1060-159-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1076-230-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1116-180-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1128-606-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1128-971-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1128-85-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1140-539-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1216-346-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1228-516-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1240-575-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1240-41-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1288-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1288-554-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1332-356-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1340-555-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1384-283-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1404-379-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1492-404-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1504-469-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1528-504-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1588-257-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1604-562-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2040-600-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2040-73-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2052-215-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2056-57-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2056-587-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2112-547-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2112-9-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2160-128-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2176-633-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2176-112-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2228-461-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2284-569-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2388-223-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2408-418-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2532-594-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2536-620-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2636-37-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2636-568-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2736-323-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2748-451-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2752-200-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2788-277-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2968-398-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3008-301-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3032-253-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3124-619-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3152-184-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3196-410-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3264-433-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3280-316-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3360-151-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3420-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3420-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3420-534-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3460-252-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3472-522-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3548-530-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3616-485-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3640-548-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3912-299-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4044-168-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4052-30-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4052-561-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4056-475-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4136-581-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4136-48-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4148-368-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4244-136-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4276-392-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4420-384-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4428-339-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4460-289-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4476-612-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4476-93-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4572-510-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4572-838-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4628-463-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4664-445-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4700-428-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4704-329-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4796-627-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4856-626-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4856-103-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4960-358-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4992-613-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4992-806-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5044-120-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5088-634-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5436-775-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.