a49d81defd9d7598393035a8bdca2a2163ba43e6063a36d99fe8cf838681a85a

Analysis

max time kernel
136s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a49d81defd9d7598393035a8bdca2a2163ba43e6063a36d99fe8cf838681a85a.exe
Size

108KB
MD5

aac4dc93c485e09926adfe787f04c323
SHA1

92937333ff67169a3d4d6bd757ded7653cddd69b
SHA256

a49d81defd9d7598393035a8bdca2a2163ba43e6063a36d99fe8cf838681a85a
SHA512

d3a6e0a26f89064ba9dd0713b7342441293013e0ae70919b5de76ecc431672a1ff9c3d7f2472ec1078d00bc4bcd3ebd294509d152d2f512e79584a7060cbc9aa
SSDEEP

1536:d1LvGngutY2M5yvLgaNVXUYyZwa4sTPpjjDb1xuruEFcFmKcUsvKwF:d1MntYHyLXZswajxvMJFcFmKcUsvKwF

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eofinnkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdhine32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Giofnacd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Haidklda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idacmfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gpnhekgl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elhmablc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecdbdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fodeolof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjolnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fokbim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmoliohh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibjqcd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqohnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjhmgeao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfnnlffc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jangmibi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmdedo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmioonpn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcekkjcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icjmmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe

Executes dropped EXE 64 IoCs

pid	Process
4680	Eodlho32.exe
2604	Ebbidj32.exe
952	Efneehef.exe
884	Elhmablc.exe
4564	Eofinnkf.exe
516	Ecbenm32.exe
220	Efpajh32.exe
964	Ehonfc32.exe
3368	Eoifcnid.exe
4788	Ecdbdl32.exe
3736	Ffbnph32.exe
4860	Fmmfmbhn.exe
2916	Fokbim32.exe
1612	Fbioei32.exe
4136	Fjqgff32.exe
4908	Fmocba32.exe
1988	Fomonm32.exe
4912	Fbllkh32.exe
452	Fifdgblo.exe
2704	Fqmlhpla.exe
916	Fckhdk32.exe
2812	Fjepaecb.exe
2136	Fqohnp32.exe
4196	Fcnejk32.exe
1056	Fjhmgeao.exe
2788	Fmficqpc.exe
2460	Fodeolof.exe
4156	Gfnnlffc.exe
232	Gjjjle32.exe
3360	Gmhfhp32.exe
1156	Gogbdl32.exe
3680	Gbenqg32.exe
3800	Gjlfbd32.exe
4540	Giofnacd.exe
1180	Gqfooodg.exe
2504	Gcekkjcj.exe
388	Gqikdn32.exe
4036	Gbjhlfhb.exe
2240	Gjapmdid.exe
3400	Gidphq32.exe
3240	Gmoliohh.exe
3160	Gpnhekgl.exe
2104	Gbldaffp.exe
4140	Gjclbc32.exe
3216	Gmaioo32.exe
4980	Gppekj32.exe
3412	Hboagf32.exe
1084	Hjfihc32.exe
8	Hmdedo32.exe
4412	Hcnnaikp.exe
4004	Hfljmdjc.exe
2272	Hjhfnccl.exe
3612	Habnjm32.exe
3740	Hcqjfh32.exe
1176	Hbckbepg.exe
1360	Hfofbd32.exe
4760	Hmioonpn.exe
1208	Hadkpm32.exe
212	Hccglh32.exe
3096	Hfachc32.exe
2376	Hjmoibog.exe
4056	Hmklen32.exe
2740	Hpihai32.exe
2924	Hcedaheh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ebbidj32.exe	Eodlho32.exe
File opened for modification	C:\Windows\SysWOW64\Hjolnb32.exe	Hfcpncdk.exe
File opened for modification	C:\Windows\SysWOW64\Gmhfhp32.exe	Gjjjle32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Gcekkjcj.exe	Gqfooodg.exe
File opened for modification	C:\Windows\SysWOW64\Icjmmg32.exe	Ipnalhii.exe
File created	C:\Windows\SysWOW64\Miimhchp.dll	Elhmablc.exe
File created	C:\Windows\SysWOW64\Fojjgcdm.dll	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Gmoliohh.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Gmoliohh.exe	Gidphq32.exe
File opened for modification	C:\Windows\SysWOW64\Gppekj32.exe	Gmaioo32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Fqmlhpla.exe	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Gjlfbd32.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Bdiihjon.dll	Kbdmpqcb.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Hfachc32.exe	Hccglh32.exe
File created	C:\Windows\SysWOW64\Jjbako32.exe	Jdhine32.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Icljbg32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kaqcbi32.exe
File created	C:\Windows\SysWOW64\Qekdppan.dll	Jjbako32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Fbllkh32.exe	Fomonm32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jkdnpo32.exe
File created	C:\Windows\SysWOW64\Neahbi32.dll	Fmmfmbhn.exe
File created	C:\Windows\SysWOW64\Jaljgidl.exe	Jjbako32.exe
File created	C:\Windows\SysWOW64\Fifdgblo.exe	Fbllkh32.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Hccglh32.exe	Hadkpm32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Eodlho32.exe	a49d81defd9d7598393035a8bdca2a2163ba43e6063a36d99fe8cf838681a85a.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Ehonfc32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ldobbkdk.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnlm32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Hcnnaikp.exe	Hmdedo32.exe
File created	C:\Windows\SysWOW64\Ncldlbah.dll	Ijkljp32.exe
File opened for modification	C:\Windows\SysWOW64\Jfkoeppq.exe	Jdmcidam.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ocaapo32.dll	Gfnnlffc.exe
File opened for modification	C:\Windows\SysWOW64\Hfcpncdk.exe	Hcedaheh.exe
File created	C:\Windows\SysWOW64\Fckhdk32.exe	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Gcekkjcj.exe
File opened for modification	C:\Windows\SysWOW64\Gpnhekgl.exe	Gmoliohh.exe
File opened for modification	C:\Windows\SysWOW64\Ijfboafl.exe	Icljbg32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Ehonfc32.exe
File created	C:\Windows\SysWOW64\Fqmlhpla.exe	Fifdgblo.exe
File created	C:\Windows\SysWOW64\Ibilnj32.dll	Hfljmdjc.exe
File created	C:\Windows\SysWOW64\Jmkefnli.dll	Hfofbd32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kbdmpqcb.exe	Kpepcedo.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6884	6744	WerFault.exe	268

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibilnj32.dll"	Hfljmdjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjmoibog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmklen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppgjkamf.dll"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fomonm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gjapmdid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fokbim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncldlbah.dll"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggipmfe.dll"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmkdlkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgblmpji.dll"	Ibjqcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Ijfboafl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpepcedo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gqikdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icgqggce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkpnlm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmcglkid.dll"	Fodeolof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fqmlhpla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppaheqp.dll"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhoohmo.dll"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fjepaecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Habnjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjdia32.dll"	Hcnnaikp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehonfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcplce32.dll"	Fbllkh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbioei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbocjjm.dll"	Gcekkjcj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4680	4072	a49d81defd9d7598393035a8bdca2a2163ba43e6063a36d99fe8cf838681a85a.exe	82
PID 4072 wrote to memory of 4680	4072	a49d81defd9d7598393035a8bdca2a2163ba43e6063a36d99fe8cf838681a85a.exe	82
PID 4072 wrote to memory of 4680	4072	a49d81defd9d7598393035a8bdca2a2163ba43e6063a36d99fe8cf838681a85a.exe	82
PID 4680 wrote to memory of 2604	4680	Eodlho32.exe	83
PID 4680 wrote to memory of 2604	4680	Eodlho32.exe	83
PID 4680 wrote to memory of 2604	4680	Eodlho32.exe	83
PID 2604 wrote to memory of 952	2604	Ebbidj32.exe	84
PID 2604 wrote to memory of 952	2604	Ebbidj32.exe	84
PID 2604 wrote to memory of 952	2604	Ebbidj32.exe	84
PID 952 wrote to memory of 884	952	Efneehef.exe	85
PID 952 wrote to memory of 884	952	Efneehef.exe	85
PID 952 wrote to memory of 884	952	Efneehef.exe	85
PID 884 wrote to memory of 4564	884	Elhmablc.exe	86
PID 884 wrote to memory of 4564	884	Elhmablc.exe	86
PID 884 wrote to memory of 4564	884	Elhmablc.exe	86
PID 4564 wrote to memory of 516	4564	Eofinnkf.exe	87
PID 4564 wrote to memory of 516	4564	Eofinnkf.exe	87
PID 4564 wrote to memory of 516	4564	Eofinnkf.exe	87
PID 516 wrote to memory of 220	516	Ecbenm32.exe	88
PID 516 wrote to memory of 220	516	Ecbenm32.exe	88
PID 516 wrote to memory of 220	516	Ecbenm32.exe	88
PID 220 wrote to memory of 964	220	Efpajh32.exe	89
PID 220 wrote to memory of 964	220	Efpajh32.exe	89
PID 220 wrote to memory of 964	220	Efpajh32.exe	89
PID 964 wrote to memory of 3368	964	Ehonfc32.exe	90
PID 964 wrote to memory of 3368	964	Ehonfc32.exe	90
PID 964 wrote to memory of 3368	964	Ehonfc32.exe	90
PID 3368 wrote to memory of 4788	3368	Eoifcnid.exe	91
PID 3368 wrote to memory of 4788	3368	Eoifcnid.exe	91
PID 3368 wrote to memory of 4788	3368	Eoifcnid.exe	91
PID 4788 wrote to memory of 3736	4788	Ecdbdl32.exe	92
PID 4788 wrote to memory of 3736	4788	Ecdbdl32.exe	92
PID 4788 wrote to memory of 3736	4788	Ecdbdl32.exe	92
PID 3736 wrote to memory of 4860	3736	Ffbnph32.exe	93
PID 3736 wrote to memory of 4860	3736	Ffbnph32.exe	93
PID 3736 wrote to memory of 4860	3736	Ffbnph32.exe	93
PID 4860 wrote to memory of 2916	4860	Fmmfmbhn.exe	94
PID 4860 wrote to memory of 2916	4860	Fmmfmbhn.exe	94
PID 4860 wrote to memory of 2916	4860	Fmmfmbhn.exe	94
PID 2916 wrote to memory of 1612	2916	Fokbim32.exe	95
PID 2916 wrote to memory of 1612	2916	Fokbim32.exe	95
PID 2916 wrote to memory of 1612	2916	Fokbim32.exe	95
PID 1612 wrote to memory of 4136	1612	Fbioei32.exe	96
PID 1612 wrote to memory of 4136	1612	Fbioei32.exe	96
PID 1612 wrote to memory of 4136	1612	Fbioei32.exe	96
PID 4136 wrote to memory of 4908	4136	Fjqgff32.exe	97
PID 4136 wrote to memory of 4908	4136	Fjqgff32.exe	97
PID 4136 wrote to memory of 4908	4136	Fjqgff32.exe	97
PID 4908 wrote to memory of 1988	4908	Fmocba32.exe	98
PID 4908 wrote to memory of 1988	4908	Fmocba32.exe	98
PID 4908 wrote to memory of 1988	4908	Fmocba32.exe	98
PID 1988 wrote to memory of 4912	1988	Fomonm32.exe	99
PID 1988 wrote to memory of 4912	1988	Fomonm32.exe	99
PID 1988 wrote to memory of 4912	1988	Fomonm32.exe	99
PID 4912 wrote to memory of 452	4912	Fbllkh32.exe	100
PID 4912 wrote to memory of 452	4912	Fbllkh32.exe	100
PID 4912 wrote to memory of 452	4912	Fbllkh32.exe	100
PID 452 wrote to memory of 2704	452	Fifdgblo.exe	101
PID 452 wrote to memory of 2704	452	Fifdgblo.exe	101
PID 452 wrote to memory of 2704	452	Fifdgblo.exe	101
PID 2704 wrote to memory of 916	2704	Fqmlhpla.exe	102
PID 2704 wrote to memory of 916	2704	Fqmlhpla.exe	102
PID 2704 wrote to memory of 916	2704	Fqmlhpla.exe	102
PID 916 wrote to memory of 2812	916	Fckhdk32.exe	104

C:\Users\Admin\AppData\Local\Temp\a49d81defd9d7598393035a8bdca2a2163ba43e6063a36d99fe8cf838681a85a.exe
"C:\Users\Admin\AppData\Local\Temp\a49d81defd9d7598393035a8bdca2a2163ba43e6063a36d99fe8cf838681a85a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SysWOW64\Eodlho32.exe
  C:\Windows\system32\Eodlho32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\SysWOW64\Ebbidj32.exe
    C:\Windows\system32\Ebbidj32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\Efneehef.exe
      C:\Windows\system32\Efneehef.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:952
    - - C:\Windows\SysWOW64\Elhmablc.exe
        
        C:\Windows\system32\Elhmablc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:884
      - C:\Windows\SysWOW64\Eofinnkf.exe
        
        C:\Windows\system32\Eofinnkf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Ffbnph32.exe
        
        C:\Windows\system32\Ffbnph32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Fmmfmbhn.exe
        
        C:\Windows\system32\Fmmfmbhn.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Fjqgff32.exe
        
        C:\Windows\system32\Fjqgff32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Fmocba32.exe
        
        C:\Windows\system32\Fmocba32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Fomonm32.exe
        
        C:\Windows\system32\Fomonm32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Fckhdk32.exe
        
        C:\Windows\system32\Fckhdk32.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Fqohnp32.exe
        
        C:\Windows\system32\Fqohnp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        25⤵
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Fjhmgeao.exe
        
        C:\Windows\system32\Fjhmgeao.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1056
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        27⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Gfnnlffc.exe
        
        C:\Windows\system32\Gfnnlffc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4156
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        31⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        32⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3800
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        39⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\Gmoliohh.exe
        
        C:\Windows\system32\Gmoliohh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        44⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        45⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3216
        
        C:\Windows\SysWOW64\Gppekj32.exe
        
        C:\Windows\system32\Gppekj32.exe
        47⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        48⤵
        Executes dropped EXE
        
        PID:3412
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        49⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2272
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        54⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\Hcqjfh32.exe
        
        C:\Windows\system32\Hcqjfh32.exe
        55⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        56⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\Hccglh32.exe
        
        C:\Windows\system32\Hccglh32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:212
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        61⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        64⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4084
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5072
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3728
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Ibjqcd32.exe
        
        C:\Windows\system32\Ibjqcd32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        71⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        72⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        73⤵
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4576
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        75⤵
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        76⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        77⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        78⤵
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        79⤵
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        81⤵
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        82⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        83⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        84⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1236
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        87⤵
        
        PID:412
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        88⤵
        
        PID:508
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        89⤵
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        90⤵
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4532
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        93⤵
        
        PID:912
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        94⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5196
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5260
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        97⤵
        Modifies registry class
        
        PID:5296
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5472
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        102⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        103⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5640
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        106⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        107⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        108⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        109⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        110⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5888
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        112⤵
        Drops file in System32 directory
        
        PID:5936
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        113⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        114⤵
        Drops file in System32 directory
        
        PID:6024
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6068
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        116⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5012
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        118⤵
        Modifies registry class
        
        PID:5188
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\Kkpnlm32.exe
        
        C:\Windows\system32\Kkpnlm32.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5320
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        121⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        123⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        124⤵
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        126⤵
        Drops file in System32 directory
        
        PID:5748
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5840
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        128⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        129⤵
        Drops file in System32 directory
        
        PID:6020
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        130⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        131⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        132⤵
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        133⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        134⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        135⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5972
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        137⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        138⤵
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        139⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        140⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6124
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5584
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        143⤵
        Modifies registry class
        
        PID:5156
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        144⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        145⤵
        Modifies registry class
        
        PID:5836
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        146⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        147⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6252
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        149⤵
        Modifies registry class
        
        PID:6300
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        150⤵
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        151⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6424
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6464
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        154⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6588
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6632
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        158⤵
        Drops file in System32 directory
        
        PID:6668
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        159⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6716
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6800
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        162⤵
        Modifies registry class
        
        PID:6840
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6876
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        164⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6956
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        166⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        167⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7032
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        168⤵
        Modifies registry class
        
        PID:7076
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        169⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        170⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7152
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6176
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        173⤵
        Drops file in System32 directory
        
        PID:6284
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        174⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        175⤵
        Modifies registry class
        
        PID:6404
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        176⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        177⤵
        Modifies registry class
        
        PID:6544
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        178⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6620
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        179⤵
        Modifies registry class
        
        PID:6660
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        180⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6744 -s 420
        181⤵
        Program crash
        
        PID:6884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6744 -ip 6744
1⤵
PID:6832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
108KB

MD5
812c1fe9396f76469f87705a6874b734

SHA1
928454ceb6360fba48f384a46327640284559313

SHA256
073ead03f955e222b6532e50e4c711c644501607419aad0d1b4644babc844e08

SHA512
e70924de07062d6120db41cc241cc03dc557ea86e8772294805afb181407fc19446235d8f734105a37e73067b83ca0233da54f5abcccbcdc42497ef4c8b78b56

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
108KB

MD5
ddfbecba6178349ba27ab5c1b4c0c2d2

SHA1
2c4a2b8248fac6ff3f9a44edecba573dba5968f6

SHA256
08e3ed52ebbe8804d304b27004294ac8b0a4996627e978b02824a211adfc47a5

SHA512
a49155d2090f6dfe6e475e1bde272ddf817f7c3b1241e576293e4080fff381eaed8bb216e5745a3a719a6b1d8a6306880fc489ab758d5966a13641a91b8a0901

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
108KB

MD5
f37ff55442d8bf1599f1673414725f08

SHA1
a72fcfe7acda9e58b3814ee7572b001f30807f72

SHA256
210a950f8a0bb41d0266fd16a4033b2fa74815c5ab3559df178ba4a294222824

SHA512
aea5f89253463302207de76c1e5001f5ff4e8deece8b89f5efc1daaead833e340e10afd8071e54377fae0477871bf68fb1254ced08178df7517693872c848806

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
108KB

MD5
3f0d2cdc1318686cea3e19f01c79504f

SHA1
4e240c41cecb613f55a348ff00f3687826a78d5e

SHA256
58532d3d37bfc3d05ff0a3f1ab66f2dca8c66973428505f0c3d3cc24759d88ad

SHA512
32d005b7e5f1b5565ed7793a58fd4d6b9ed1ff75c6da6421e4fe34a16ea98202a656b33f1b9615e3dbb5fb2eb749bbd23f7e09c8aa76f5170be8a4f7ef051f26

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
108KB

MD5
ada79c54e2804b6b64ff07cfb2bac96c

SHA1
7aa19a533b2c41d50227198088d61216825c94ef

SHA256
4e47bbf21e53020309c0033f024ff00003071dafceab4f1873cb263e95576173

SHA512
3a5661272c9f2a7c8219d0d217ac3c600c53a1a97fb52f255f3279c104193891ededd3fe47f227de58a8be2a09fccd543af21556bc9848c7e99a9eaade0f027c

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
108KB

MD5
6bed2b1472b11ab1541e4b577c7cf735

SHA1
a5204c26fbfbd511103a117ce9d2cc96593ad4d1

SHA256
acb279666629464e3aa9b5ec947318a2490a093f6b2cbb5edc1d92e07512009c

SHA512
6532310f77d76e90c17f83c6823568df5b4ec92d809ed1dbec31909b838e94675b47107bb6af8f6c56f72b7d19e167cf09d049dd7047c47c966f101662a5ad4d

Download Submit
C:\Windows\SysWOW64\Elhmablc.exe

Filesize
108KB

MD5
c948a35226401f84777d08ecc1ffaca0

SHA1
5806e40a16e42935cd09f2c236bb41cbb739279e

SHA256
ed8cd08328db56e5ea2f45abb2e5b2c2cd2f0feca43841fcdf11d4eb77463d8d

SHA512
9eed3c467d1c9cee9474f2e1c4d50cabb030346affc55ce78cbdf4a46e1f14ea5b48120a184f2846cbc95ae1ac4f967a4ed6027821c14eb24df50ee8e3d97dd8

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
108KB

MD5
15a102703a2304f11c0c1e6261e974a1

SHA1
2784483c8464b731751d78ef1a119652a7d73920

SHA256
c2c90cd1c0d1c45bf53ed7cefdc0ca7850fff6af45f0bb9f8050b9bda51e95db

SHA512
4aae866a6390b9c2585f0541b7d855617b62ff6d774313d95f28a47cb2e71963f7ff994717f1f3c08ef9de563894f5d2084916ca3f23c6b9778ce9b288d6897e

Download Submit
C:\Windows\SysWOW64\Eofinnkf.exe

Filesize
108KB

MD5
f03bd0c9b76383a11301299e4cd13bf1

SHA1
3915166188f91a96e292aa3c65c81e81de11c1a3

SHA256
f124feebfb1a8464daa1bcf024c79818f9984f8c02e26986bf25bfca6972a915

SHA512
84dff4d0aa1f2f12a5a73f0438e2ce722d561551027fe7f35bca22ae61e03d5191da5bb6026d7e3267dc62399ad300ba33183276b12a812880c0ff9c4c78e38d

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
108KB

MD5
7819d0defee106aac0a141aed175dd3b

SHA1
9778e4248a0bd7fda571073bf747a8032a901d67

SHA256
157926ea8ceaf477f300fcf827996c27635d496aac48b88807f4d9ae3ca869d4

SHA512
14bc05568706086df98784d26f16e3e512b6308b6b38992c07d770fc3f8abd66fefe23443169f74b13d4747c37abc185e67c6588c7903eec4f1a33d5c991bb47

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
108KB

MD5
a7275a62abb3b336d15d09fe8a62b110

SHA1
3da7c8146250bca544ab93d104fd9bf5b23aa5a2

SHA256
211dd38bddc4c9ba636498e831c879170a0822daa4cf48caed0b697e00259cf5

SHA512
c7b15b3f6b654e3fafdde362aa6d8a0f9ac16e88b8257e2786960d3cd4a008876143e6c8ff3ccfb9d5f4de745a8b8f1c06c740691f0658891fbee2ae59b53dc3

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
108KB

MD5
c96a5d90b432b2ad7d36735be7e48b95

SHA1
26b9669cdbbc262050d36d7fe52a624ad57aa819

SHA256
66afb6f1f28ced6e0333c9aeb815fa77a5b991c2f1bf9a6521b56833f706c476

SHA512
81fc8da6947fc1808c36d3a140270bf0b41f1f68d35a95e8ddb8e023d652a5f70a07ef9a30f161c8705716b8f1c9feb1e06a3696cc58e8a2f19feabf5e8733a1

Download Submit
C:\Windows\SysWOW64\Fckhdk32.exe

Filesize
108KB

MD5
bd9d10970952f0bfbf5aee58b7f3b1c3

SHA1
3a2c3c5e1d7ea4157552e21edf487d7fe566f06e

SHA256
26b73902e8374633a9ad19cc7a6e1aa86e63560977eb914948f76dc2f69018fa

SHA512
0231ca125f3388848499de5ed0a27e43694cfc7b9efee7e2710123a89d2021e16174b0c6b38b581748c79b7210ee64d4e06b0ab2cd6cf45686a08d11ad0e9cd1

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
108KB

MD5
4bb4f9273c1870c7d57769697177aade

SHA1
1b86eb45b55c524d74010387b2acfb0e6fa9332c

SHA256
0ee3ef21769d9148e263c6c65ea5f531ca057f2c32b34a2619b71618d8615fd1

SHA512
39523af09640b98505068fe0a6de441fb9ae1fe22a4a58ff97473822e4e523456b410cb113f1a4c3de72e01c95d2e9c61d8c56d9cbf818413a7b3c60f12362f8

Download Submit
C:\Windows\SysWOW64\Ffbnph32.exe

Filesize
108KB

MD5
75dabb261d512a6d296d8a8d35add3a7

SHA1
87911bc7f10527804aced9276fa4f21f613ab998

SHA256
724d138b545f372996408347de37ae4afa4b9c011c2e445c0d2cc01c6481b86a

SHA512
38727b66c4a5d0d874264377a7538b41a44ab39ceb838359a82aea4d022b4360ee5462868a681375fe6575870845883238dd6d1cc68d48d2b28f54dffe412075

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
108KB

MD5
89096da2baa873152b63d216b51d0c83

SHA1
5e5c5ba35306c83ca602848dbf80e56577fc463c

SHA256
c69085414edd3e66c569765b0dc1c40e9cb5a4f39eead85a2c2d6693dc089091

SHA512
c4b6b4805ca90c4cf1bb2dca3fb52a7ff0bb8fa88a409b94a236dc6063e40dd5f7a562f8260677102b907673fca91f3dd118c94907dd2f1fc7e498529526b2d6

Download Submit
C:\Windows\SysWOW64\Fjepaecb.exe

Filesize
108KB

MD5
a9f405170537e5296808e835e346bfe4

SHA1
ac1d0ea84bb4d5d23bf26a63f3418b65991770c8

SHA256
ca1a51e6e55f1a05848ae6ed7b7ff70887d62383dfb43399d3aa8b9eb99920fc

SHA512
d930b89d5d4527b2ea7ee2ee1d04836c5e9b9097725ac972ebfd977a5727cd856e2ef69de9ab6a01a075c6c9b411e31748a87211149960d3899afb671fbedfaf

Download Submit
C:\Windows\SysWOW64\Fjhmgeao.exe

Filesize
108KB

MD5
6e795e80cac60422994d37f230438d86

SHA1
a95a9452ee4cc35477ec4c1852b52626f70cc784

SHA256
9a1557d18b81ea7fdb1b1573fd3f50faac1f27d5226d63df408c3ef63c043971

SHA512
08496fcb13779105afcf95e1a8d86f0fcbb4df8dce40dfdcafff492eded2b65d755dbba0369f8191b562af46a6250d78340b287963b3d596114113602d250732

Download Submit
C:\Windows\SysWOW64\Fjqgff32.exe

Filesize
108KB

MD5
e1f864922c67665c721a6acd91feb99a

SHA1
7af683071a7dd0bd1146e367c4dae8991d621356

SHA256
4c2057453bda23c841c44f9f3986d2419899ec9f40c0ef793261141efe8428b9

SHA512
1069d3520d9b86404d45a162d06028cec6136b258e6aa7f22d492c314cbbbf41f97998a414e07a5805d62dfaed6d0de4419cfd15b8a3cba3bf8cf73ad49a4453

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
108KB

MD5
6d162c61fefae4a70f77fbde0d6b2980

SHA1
39e512da712cdc773eebccb4f58a1d79b0e960bf

SHA256
2ed03464e084088c4e0f90ee3855ea7143324f77141395f0022eaf26689c8612

SHA512
5b51eaee25ce97379d756b58d16d1ed566351e21afc6be6821f6f2827e42e3b4621b37c2ce1a66ba98602e752b3bd4ecbe0ef58e09a463b71289b95012339395

Download Submit
C:\Windows\SysWOW64\Fmmfmbhn.exe

Filesize
108KB

MD5
e4b73afbf7c4015690313c166ae96057

SHA1
dba2e65cc585de5e669e890617e75c23188168a6

SHA256
ac73f5fdcbbdfc04982a020938bf06206dc1f549f4046e45c44209244d00749d

SHA512
367c2605cbdceaa9658a0a80928b550adeb4adbb79a3b3ced14c7c24877f5b25ea6b8b3017b25e3d98598dfe36a3840fca4ace4427c211300d450099a2b3fb6d

Download Submit
C:\Windows\SysWOW64\Fmocba32.exe

Filesize
108KB

MD5
91b9a2d9aaea804d9b020f42527220d8

SHA1
28539cef0e69adb72d3356eb7e3486f09748db10

SHA256
6dd037fc4821de85378369240c6770e40d6f0a6fe666860c9b4371557173586f

SHA512
a21b62988c0213af5b58b26e182f2d53eb62794992a7f3b551390994d9d413c31d912acdba936e50b39306c4e2ff291ddc9a6d3df5750988e1f3df98153d2a01

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
108KB

MD5
2b468dfbd23342d1f2c8c793ec361814

SHA1
2e1abf9be5a8bd231b8948a3002cd6fee6668753

SHA256
616efee4bd9cf7c9a00e4a1efde2c00953d218d611b49e176d4e306f3ed26cd2

SHA512
72cf20f4ae45695cb481d73eeda9fcc2d5fc56556e1af83e0ec333d4588cf76c1370ac403ebdbbdb7c7132dd437428d63d17089af0bb71b1fdf16ccc2147600e

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
108KB

MD5
53dcc13fd66309a95726f346f3189d41

SHA1
895544d130c01a58c21e1510237feae50d888f46

SHA256
1e705ca24a0c230ff79c36b040424f15b8631133b197a48a01ac648424cf7737

SHA512
713ed308d28bf4d0d4632e420d292e72ea9af080753ef5fce0b01c6f3218f56edbf31e3d29963a49f7fb6e00fc88aec9cab1d0da98db3027458c64bfc79a1138

Download Submit
C:\Windows\SysWOW64\Fomonm32.exe

Filesize
108KB

MD5
8a807295a301b78c0227edf5474cd851

SHA1
c255ef2eb8f6b0334785cf126644a9a8c2e906bb

SHA256
0e502a5acef7f544a27d83d01749737a98c1bf28c67f642274b32314cae45b6f

SHA512
715ed13dc0c9fcb1928c87b33d60366761db1c6801672640b47551442dec5464e525f393baa7f71a96ad83d7baee5e269767de6aed9935cd1e6f3bb142ee7308

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
108KB

MD5
56fcab44ac927c29f16d03e5d90bd45a

SHA1
e035665f84f1fd57655979c213fe7f22d1f909ce

SHA256
44c9002e650f43f8024bfa59d4abc7919cd96fc4096060eb555d1035b294383a

SHA512
cd3766d3a873a1e13f8293cfe105558fa72d5a11028af2232630dfd67051f72bc5e3f44ef0c3963065ac82103a85320112f3c7d0e02e9ff046626888be0bc92f

Download Submit
C:\Windows\SysWOW64\Fqohnp32.exe

Filesize
108KB

MD5
c9a1f4d6090d3d680a164220429b41af

SHA1
0e98eef0ea89cc532495ecb5814d997c0a102fed

SHA256
2413dfaf2ce9a468b33332422e9d970e46e06b5445682dc4344fa9967370c934

SHA512
0dfdc811d8df8c425fdb05e515912ad1e049500c59a298aa5d9344f0184d7799fe717dfa256d8920b7f56438ceddcecab1e040353e2191b2bbac97164fdcf872

Download Submit
C:\Windows\SysWOW64\Gbenqg32.exe

Filesize
108KB

MD5
fceef048938189ed91bbc7df48a7c7c0

SHA1
88b9019cb39b2d9c391664c923b2d27768aa7dba

SHA256
316819429c9099519f7a17782efa0b3206e252d3f56bc82ce8e86cda4812924d

SHA512
5451234b67018a37a6d00b10499c7e489783171e32a14c0cd235cf302b9d67f5a3b68f5892f8becfe6cdc97ac323be6097ceb5ddbd0230e29cf8c7096a2b1e99

Download Submit
C:\Windows\SysWOW64\Gfnnlffc.exe

Filesize
108KB

MD5
29f6baeaa7254357fe0b041460f949f3

SHA1
1aaea518dfe3b93dbc9e8fb3d4e694dd93f71bef

SHA256
50613b627867d51b80ba3cc737db0cd4f7016efc95bf55f8c33531d5f0268ba4

SHA512
7d1679ad2d287cc3d1bc042a1a0a0c292bb7fb47c5b84c72c658d058362d87ac16d68a9ae7ea6d346539365f75cc3e281d1c9fa6b62c039b3f199f621effcb31

Download Submit
C:\Windows\SysWOW64\Gjjjle32.exe

Filesize
108KB

MD5
7ddc6d9339c5300565293bd4ed542f4a

SHA1
e5de8cc557520502aa8a1d4d9d8991cb7e416e53

SHA256
563fa1683cfda9548297984a61b2286de1796fb8de32850a2f00c994d030a8aa

SHA512
ed19a14d1df078a5c5c5a138a4335389b7a41610b0eb02e4bc34d5277a07bc8827978a09d7ed882b31e7ab18ca38de19b84419a794674561bfbd0b13457fbace

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
108KB

MD5
ab520874cd7b18f8818107a90d8cc5cd

SHA1
08da170077bb744128687c158a0f92b0e17ae61e

SHA256
63829a2d5b331e79a77dc83297c8496b1af66eb878f169207c320632167ad8dc

SHA512
e3a7ab863c9389f980ef5a5c549dd5e9b6c8a415c1d3b9014f84dfdc732ed309d5a2bfdab7a33d8ef7858407c83e02148556b2005657e31d58e58dc4e367627b

Download Submit
C:\Windows\SysWOW64\Gogbdl32.exe

Filesize
108KB

MD5
0ee1c3a98b4c33146940c0616db5a325

SHA1
9fdff248697d8e524d6bb120f9748df0eeb22d8b

SHA256
f9a066131337bf1de019007317fed0928135fc55f9e789913c2117aca7a10cbf

SHA512
2854d4b28cc58961a04eeeb99897649b3c2e602d90ff08823a0d99e75af286f65decf73b46051c2f8e773052c65b32c6f686802a25d6f15b62fa696102b3f2ff

Download Submit
C:\Windows\SysWOW64\Hjfihc32.exe

Filesize
108KB

MD5
55e05f8c14d1ef91c2adf06d787e1f18

SHA1
f81c96264bae9e5ce9093bd4e81c55d4991d7fb3

SHA256
333271f51f95ceda075906d3268cd69ac5c4ceea6bf21cb47db2156b707ff5e3

SHA512
38e0fca88879a0bfc678a5165b197cab397e5016dacf04d7b48788e931c1fad92b3d045352abc95108fb9f094a6f5ebdc5d6816a943075abd528c76b5a7ec394

Download Submit
C:\Windows\SysWOW64\Hjhfnccl.exe

Filesize
108KB

MD5
d715b7d8ea6feb9dca299d003418a9f3

SHA1
c8ce1efcae36856548e44a606d70be8b621b1309

SHA256
b8a4b3d24f25c10e1b3f6efca5091b70f85a76817f9531f87b61084f61361159

SHA512
f33c64193eec3a1420aeb1ae930286636542ce07934d6d0e76fd49d1555e64dc393d33417f25e70a38985732599cb1301af3b235a00ac152659da798cb53f1c3

Download Submit
C:\Windows\SysWOW64\Idofhfmm.exe

Filesize
108KB

MD5
d7ed6bfc4b0c6cd36ad2b28fb13251d6

SHA1
1861781eda2774f695e3c87327aab7a09d91fcb7

SHA256
8fe1fa052606ef3b897334ad4a3c894cf383cf558a1ad78d783fa6eaa53d2138

SHA512
da607f32a6a0e55159143677c359bc13c5ceff8796f3daca1c0bb9a4c89787de7a3571051ef257c560cbd24be02349c2eb4d29c6e85b9a3895c1de6c4eedd893

Download Submit
C:\Windows\SysWOW64\Iinlemia.exe

Filesize
108KB

MD5
bb7a70529f8f1d4e5c524a0623e21b82

SHA1
5748bbe98e88668f8cd264c54685ae881933dd7e

SHA256
4f3dfc2c39db3160cfeba71e5ec99057893428cb36ae9483bdb965ee6cf7f535

SHA512
8c9b78df5147625ed1efa5501ccb511c0108c8dd89787815b304ef6071f5c488de468b0b836f7644e87654c9f41c30650cf1a8020b2c38e6de2d384fd7bc63b2

Download Submit
C:\Windows\SysWOW64\Ijfboafl.exe

Filesize
108KB

MD5
c3f10b84a6a134ca09572039ce3b7b47

SHA1
7d2b1c56fd21ba806ac3b0cb30dda69abea5ecc7

SHA256
bb431f6d366dc60d5979d9d7c407be76d268913b335208af9479adb10a7128fe

SHA512
d5e40d39574a40fc7a3fae62e3d4484c1bd7552b3ec660ae420cf8b9066a1ff474d504d44ade982b99b880d35e9f84cdef6edbe803805a2703a3748a609a0cb4

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
108KB

MD5
2e3701637e7a2e1131cb353fecea384c

SHA1
bd37761d8bc02eecc1135238629ff829f8c35b87

SHA256
426b55aa3751fa55c24de5ba6be52fc241e47f1b75f7bfcc075ff28b8bc4655f

SHA512
36f26552ecf04a9d6c21a792ae552bd009d259d801053cf0cd1a040c7dc141a807636b8c5a2fce371446c9d1e56c2cbeb5bf8e69caedae3bc0f08d2c077c0e00

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
108KB

MD5
d48618ea7c354e705ff60894c58930db

SHA1
eadf4ed20eb2d53fec92bd9c0d925e1d7dfad728

SHA256
d96119151fcf5a84b9ea1e6f078f386eae8d3997fabc2dbdb200fc966aa58e75

SHA512
2f98330c8bd7fc1165171097dc71f59d7a9c6347bfc138f56d5577ca485c36d5668b60a5fb3b41abb8bdd66de1fc4543b3de3f620a91ad17aa7becb1e37da434

Download Submit
C:\Windows\SysWOW64\Miimhchp.dll

Filesize
7KB

MD5
85e94e690a86ffeb01aa2f27bc309377

SHA1
28689f8c70a3b354ade6dc3a450b70124d35f4fe

SHA256
2551745b3c9295ba307b01969ba585baf59140225f78a3b379a6cec9560ef295

SHA512
b2fdce61eea83d9f930cf6648c39d7de305a14eefbb3b33e6e9df4559632b518d546ccdd9ef3e42096747035633a4f601de528e7fc6d85ada88a1c6200318291

Download Submit
memory/8-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/212-1397-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/212-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/220-578-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/220-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/232-231-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/388-283-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/452-654-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/508-579-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/516-576-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/516-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-562-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/912-610-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/916-167-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/952-552-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/952-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/952-1509-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/964-585-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/964-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1056-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1084-1418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1084-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1156-245-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-1405-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1176-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1180-275-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1208-1398-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1208-410-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1360-394-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1528-1332-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1596-1336-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1612-622-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1612-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1892-1371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1892-491-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-641-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1988-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-317-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2136-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2156-553-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2240-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2272-375-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2460-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2504-277-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2604-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2604-1510-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2604-546-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2704-164-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2704-1474-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2724-475-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2724-1374-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2740-440-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-566-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2812-175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2868-1373-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2916-620-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2916-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2964-516-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2992-510-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3096-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3100-468-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3160-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3216-329-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3368-591-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3368-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3400-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3412-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3612-377-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3680-258-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3728-457-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3736-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3736-603-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4004-365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4004-1413-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4036-1438-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4056-429-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4072-534-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4072-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4084-451-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4136-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4136-634-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4140-323-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4156-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4156-1458-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4196-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4316-469-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4404-498-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4412-363-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4532-1335-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4540-270-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4564-564-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4564-46-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4576-492-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4680-540-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4680-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4760-405-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4788-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4788-601-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-504-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4824-1365-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4828-528-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4860-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4860-609-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4908-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4908-635-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-648-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4912-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4980-335-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5008-1355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5012-1282-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5096-522-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5196-623-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5340-642-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5444-1251-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5468-1240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5836-1227-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5920-1261-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6108-1285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6176-1175-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/6464-1210-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads