5cbd72b5758ad122d1c39717631aba62fffa96e13812af98f88b3b8a20b3903e

Analysis

max time kernel
7s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 20:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5cbd72b5758ad122d1c39717631aba62fffa96e13812af98f88b3b8a20b3903e.exe
Size

199KB
MD5

ac82ba612faf26561992f3d56c4383f3
SHA1

3490c5ebeab2e0b65f4155fd6cc2a1db7cc8b52d
SHA256

5cbd72b5758ad122d1c39717631aba62fffa96e13812af98f88b3b8a20b3903e
SHA512

546895f58e3cab171a6e3957a345399207b147141dcb9cb1d9d46091851c864014dbbf23f43933342b607b32f322db406bbd9b9a0eb6019e261bee56eb8e3420
SSDEEP

3072:yvaPll3ZgNP0S5DSCopsIm81+jq2832dp5Xp+7+10K03Rq/ghavVQXxFaPsRbh:yvB0SZSCZj81+jq4peBK034YOmFz1h

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgdhgmep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npgabc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfningai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfpecg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jodjhkkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5cbd72b5758ad122d1c39717631aba62fffa96e13812af98f88b3b8a20b3903e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iohjlmeg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlnbgddc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npgabc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oocddono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igcoqocb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ienekbld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npedmdab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iomcgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jodjhkkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnqeqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5cbd72b5758ad122d1c39717631aba62fffa96e13812af98f88b3b8a20b3903e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnckpmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hglipp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojnblg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ienekbld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knbiofhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oepifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oghppm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghpendjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kflnfcgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlnbgddc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kimghn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpieqeko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibicnh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiehpahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiehpahb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leadnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npedmdab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gochjpho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gafmaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hofmfmhj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogpepl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlpeff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kngcje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lflgmqhd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Medqcmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nheble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oenlqi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdlpneli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hfpecg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpbfii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgdhgmep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knbiofhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlpeff32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hoogfnnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkehkocf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnkcogno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igjeanmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nheble32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gochjpho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkjhoq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gahjgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebmekoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdfdmdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnckpmql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lidmhmnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lihfcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfjjga32.exe

Executes dropped EXE 64 IoCs

pid	Process
320	Fnckpmql.exe
264	Gochjpho.exe
4440	Gkjhoq32.exe
4392	Gafmaj32.exe
4576	Ghpendjj.exe
544	Gahjgj32.exe
3540	Ggeboaob.exe
216	Hdicienl.exe
2132	Hoogfnnb.exe
2000	Hdlpneli.exe
3896	Hkehkocf.exe
3952	Hglipp32.exe
1532	Hfningai.exe
3868	Hofmfmhj.exe
2392	Iohjlmeg.exe
2172	Igcoqocb.exe
2276	Ibicnh32.exe
3796	Iomcgl32.exe
2028	Iiehpahb.exe
4144	Ibnligoc.exe
692	Igjeanmj.exe
872	Indmnh32.exe
8	Ienekbld.exe
2212	Jodjhkkj.exe
560	Jecofa32.exe
640	Jnkcogno.exe
1508	Jgdhgmep.exe
2764	Jicdap32.exe
2716	Jfgdkd32.exe
1748	Knbiofhg.exe
1588	Kpbfii32.exe
4828	Kflnfcgg.exe
1956	Kngcje32.exe
1676	Kimghn32.exe
2104	Kfqgab32.exe
3136	Kiodmn32.exe
4584	Lhdqnj32.exe
2712	Lidmhmnp.exe
212	Lnqeqd32.exe
3964	Lfjjga32.exe
5028	Lihfcm32.exe
2700	Lflgmqhd.exe
4712	Llipehgk.exe
3968	Leadnm32.exe
772	Medqcmki.exe
4564	Mpieqeko.exe
5144	Mefmimif.exe
5192	Mlpeff32.exe
5236	Mehjol32.exe
5276	Mpnnle32.exe
5316	Mpqkad32.exe
5400	Niipjj32.exe
5452	Neppokal.exe
5496	Npedmdab.exe
5536	Nebmekoi.exe
5572	Npgabc32.exe
5624	Ngaionfl.exe
5704	Nlnbgddc.exe
5740	Ngdfdmdi.exe
5780	Nheble32.exe
5828	Ogfcjm32.exe
5872	Oghppm32.exe
5924	Oocddono.exe
5964	Oenlqi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kflnfcgg.exe	Kpbfii32.exe
File opened for modification	C:\Windows\SysWOW64\Ggeboaob.exe	Gahjgj32.exe
File created	C:\Windows\SysWOW64\Igcoqocb.exe	Iohjlmeg.exe
File opened for modification	C:\Windows\SysWOW64\Lhdqnj32.exe	Kiodmn32.exe
File created	C:\Windows\SysWOW64\Fqokaeco.dll	Medqcmki.exe
File created	C:\Windows\SysWOW64\Ogfcjm32.exe	Nheble32.exe
File created	C:\Windows\SysWOW64\Kbbpccql.dll	5cbd72b5758ad122d1c39717631aba62fffa96e13812af98f88b3b8a20b3903e.exe
File created	C:\Windows\SysWOW64\Nholna32.dll	Ggeboaob.exe
File created	C:\Windows\SysWOW64\Jodjhkkj.exe	Ienekbld.exe
File created	C:\Windows\SysWOW64\Nboahd32.dll	Lfjjga32.exe
File created	C:\Windows\SysWOW64\Lflgmqhd.exe	Lihfcm32.exe
File opened for modification	C:\Windows\SysWOW64\Gochjpho.exe	Fnckpmql.exe
File created	C:\Windows\SysWOW64\Inaoom32.dll	Lnqeqd32.exe
File created	C:\Windows\SysWOW64\Oeglpiqf.dll	Igcoqocb.exe
File created	C:\Windows\SysWOW64\Jqcdkk32.dll	Kngcje32.exe
File created	C:\Windows\SysWOW64\Ohlimd32.exe	Oenlqi32.exe
File created	C:\Windows\SysWOW64\Epeqehhl.dll	Iomcgl32.exe
File created	C:\Windows\SysWOW64\Oocddono.exe	Oghppm32.exe
File created	C:\Windows\SysWOW64\Oohnonij.exe	Oepifi32.exe
File opened for modification	C:\Windows\SysWOW64\Ophjiaql.exe	Ojnblg32.exe
File created	C:\Windows\SysWOW64\Iohjlmeg.exe	Hfpecg32.exe
File created	C:\Windows\SysWOW64\Qhjibgnp.dll	Hoogfnnb.exe
File opened for modification	C:\Windows\SysWOW64\Hofmfmhj.exe	Hfningai.exe
File opened for modification	C:\Windows\SysWOW64\Mpnnle32.exe	Mehjol32.exe
File created	C:\Windows\SysWOW64\Ngaionfl.exe	Npgabc32.exe
File created	C:\Windows\SysWOW64\Oepifi32.exe	Oofaiokl.exe
File opened for modification	C:\Windows\SysWOW64\Gkjhoq32.exe	Gochjpho.exe
File opened for modification	C:\Windows\SysWOW64\Ohlimd32.exe	Oenlqi32.exe
File created	C:\Windows\SysWOW64\Hhcjel32.dll	Oepifi32.exe
File created	C:\Windows\SysWOW64\Igjeanmj.exe	Ibnligoc.exe
File opened for modification	C:\Windows\SysWOW64\Kiodmn32.exe	Kfqgab32.exe
File created	C:\Windows\SysWOW64\Kkqdpn32.dll	Igjeanmj.exe
File created	C:\Windows\SysWOW64\Pfhkccfn.dll	Jicdap32.exe
File created	C:\Windows\SysWOW64\Lajdegod.dll	Oenlqi32.exe
File created	C:\Windows\SysWOW64\Knnckk32.dll	Fnckpmql.exe
File opened for modification	C:\Windows\SysWOW64\Oepifi32.exe	Oofaiokl.exe
File opened for modification	C:\Windows\SysWOW64\Nebmekoi.exe	Npedmdab.exe
File created	C:\Windows\SysWOW64\Lhdqnj32.exe	Kiodmn32.exe
File opened for modification	C:\Windows\SysWOW64\Kfqgab32.exe	Kimghn32.exe
File opened for modification	C:\Windows\SysWOW64\Ogfcjm32.exe	Nheble32.exe
File created	C:\Windows\SysWOW64\Egbejk32.dll	Hkehkocf.exe
File opened for modification	C:\Windows\SysWOW64\Hkehkocf.exe	Hdlpneli.exe
File created	C:\Windows\SysWOW64\Jgdhgmep.exe	Jnkcogno.exe
File created	C:\Windows\SysWOW64\Mpnnle32.exe	Mehjol32.exe
File created	C:\Windows\SysWOW64\Mpqkad32.exe	Mpnnle32.exe
File created	C:\Windows\SysWOW64\Jomdjhoo.dll	Niipjj32.exe
File created	C:\Windows\SysWOW64\Hoogfnnb.exe	Hdicienl.exe
File opened for modification	C:\Windows\SysWOW64\Oghppm32.exe	Ogfcjm32.exe
File created	C:\Windows\SysWOW64\Dphmbk32.dll	Ienekbld.exe
File created	C:\Windows\SysWOW64\Idpeeehm.dll	Ojnblg32.exe
File created	C:\Windows\SysWOW64\Lglfodah.dll	Leadnm32.exe
File opened for modification	C:\Windows\SysWOW64\Gafmaj32.exe	Gkjhoq32.exe
File created	C:\Windows\SysWOW64\Ibnligoc.exe	Iiehpahb.exe
File created	C:\Windows\SysWOW64\Lidmhmnp.exe	Lhdqnj32.exe
File created	C:\Windows\SysWOW64\Oghppm32.exe	Ogfcjm32.exe
File created	C:\Windows\SysWOW64\Gochjpho.exe	Fnckpmql.exe
File created	C:\Windows\SysWOW64\Madccamk.dll	Indmnh32.exe
File created	C:\Windows\SysWOW64\Ekfhooll.dll	Knbiofhg.exe
File created	C:\Windows\SysWOW64\Oqkclhkh.dll	Gkjhoq32.exe
File created	C:\Windows\SysWOW64\Hmhloljn.dll	Hfpecg32.exe
File created	C:\Windows\SysWOW64\Dhkehk32.dll	Iohjlmeg.exe
File created	C:\Windows\SysWOW64\Jleqgfim.dll	Ibnligoc.exe
File opened for modification	C:\Windows\SysWOW64\Jgdhgmep.exe	Jnkcogno.exe
File opened for modification	C:\Windows\SysWOW64\Leadnm32.exe	Llipehgk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohepjfbb.dll"	Ghpendjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfpecg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klgmcn32.dll"	Jodjhkkj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkehkocf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dphmbk32.dll"	Ienekbld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kimghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajdegod.dll"	Oenlqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oepifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnkcogno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpbfii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqokaeco.dll"	Medqcmki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oghppm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hoogfnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Igcoqocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dimini32.dll"	Kpbfii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idpeeehm.dll"	Ojnblg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5cbd72b5758ad122d1c39717631aba62fffa96e13812af98f88b3b8a20b3903e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5cbd72b5758ad122d1c39717631aba62fffa96e13812af98f88b3b8a20b3903e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noloin32.dll"	Mehjol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lacibgbo.dll"	Ngaionfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igjeanmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oocddono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqjbok32.dll"	Gochjpho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqiieebk.dll"	Kiodmn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnqeqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjnccp.dll"	Ogfcjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfjjga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nebmekoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifolfj32.dll"	Npgabc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdlpneli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jicdap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpieqeko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mehjol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jomdjhoo.dll"	Niipjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himnbjpd.dll"	Hdlpneli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hglipp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iflbnkbi.dll"	Hfningai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jecofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieefiiml.dll"	Nheble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdnhmdp.dll"	Oofaiokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogpepl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kimghn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfqgab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npgabc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlnbgddc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpnnle32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5cbd72b5758ad122d1c39717631aba62fffa96e13812af98f88b3b8a20b3903e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhjibgnp.dll"	Hoogfnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madccamk.dll"	Indmnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jicdap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfjjga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkehk32.dll"	Iohjlmeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mehjol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npedmdab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afkicf32.dll"	Mefmimif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nheble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oenlqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhlkhcm.dll"	Nlnbgddc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibnligoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibnligoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noekdfjb.dll"	Kflnfcgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medqcmki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oohnonij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nholna32.dll"	Ggeboaob.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 984 wrote to memory of 320	984	5cbd72b5758ad122d1c39717631aba62fffa96e13812af98f88b3b8a20b3903e.exe	93
PID 984 wrote to memory of 320	984	5cbd72b5758ad122d1c39717631aba62fffa96e13812af98f88b3b8a20b3903e.exe	93
PID 984 wrote to memory of 320	984	5cbd72b5758ad122d1c39717631aba62fffa96e13812af98f88b3b8a20b3903e.exe	93
PID 320 wrote to memory of 264	320	Fnckpmql.exe	94
PID 320 wrote to memory of 264	320	Fnckpmql.exe	94
PID 320 wrote to memory of 264	320	Fnckpmql.exe	94
PID 264 wrote to memory of 4440	264	Gochjpho.exe	95
PID 264 wrote to memory of 4440	264	Gochjpho.exe	95
PID 264 wrote to memory of 4440	264	Gochjpho.exe	95
PID 4440 wrote to memory of 4392	4440	Gkjhoq32.exe	96
PID 4440 wrote to memory of 4392	4440	Gkjhoq32.exe	96
PID 4440 wrote to memory of 4392	4440	Gkjhoq32.exe	96
PID 4392 wrote to memory of 4576	4392	Gafmaj32.exe	97
PID 4392 wrote to memory of 4576	4392	Gafmaj32.exe	97
PID 4392 wrote to memory of 4576	4392	Gafmaj32.exe	97
PID 4576 wrote to memory of 544	4576	Ghpendjj.exe	98
PID 4576 wrote to memory of 544	4576	Ghpendjj.exe	98
PID 4576 wrote to memory of 544	4576	Ghpendjj.exe	98
PID 544 wrote to memory of 3540	544	Gahjgj32.exe	99
PID 544 wrote to memory of 3540	544	Gahjgj32.exe	99
PID 544 wrote to memory of 3540	544	Gahjgj32.exe	99
PID 3540 wrote to memory of 216	3540	Ggeboaob.exe	100
PID 3540 wrote to memory of 216	3540	Ggeboaob.exe	100
PID 3540 wrote to memory of 216	3540	Ggeboaob.exe	100
PID 216 wrote to memory of 2132	216	Hdicienl.exe	102
PID 216 wrote to memory of 2132	216	Hdicienl.exe	102
PID 216 wrote to memory of 2132	216	Hdicienl.exe	102
PID 2132 wrote to memory of 2000	2132	Hoogfnnb.exe	103
PID 2132 wrote to memory of 2000	2132	Hoogfnnb.exe	103
PID 2132 wrote to memory of 2000	2132	Hoogfnnb.exe	103
PID 2000 wrote to memory of 3896	2000	Hdlpneli.exe	104
PID 2000 wrote to memory of 3896	2000	Hdlpneli.exe	104
PID 2000 wrote to memory of 3896	2000	Hdlpneli.exe	104
PID 3896 wrote to memory of 3952	3896	Hkehkocf.exe	105
PID 3896 wrote to memory of 3952	3896	Hkehkocf.exe	105
PID 3896 wrote to memory of 3952	3896	Hkehkocf.exe	105
PID 3952 wrote to memory of 1532	3952	Hglipp32.exe	106
PID 3952 wrote to memory of 1532	3952	Hglipp32.exe	106
PID 3952 wrote to memory of 1532	3952	Hglipp32.exe	106
PID 1532 wrote to memory of 3868	1532	Hfningai.exe	107
PID 1532 wrote to memory of 3868	1532	Hfningai.exe	107
PID 1532 wrote to memory of 3868	1532	Hfningai.exe	107
PID 4540 wrote to memory of 2392	4540	Hfpecg32.exe	109
PID 4540 wrote to memory of 2392	4540	Hfpecg32.exe	109
PID 4540 wrote to memory of 2392	4540	Hfpecg32.exe	109
PID 2392 wrote to memory of 2172	2392	Iohjlmeg.exe	110
PID 2392 wrote to memory of 2172	2392	Iohjlmeg.exe	110
PID 2392 wrote to memory of 2172	2392	Iohjlmeg.exe	110
PID 2172 wrote to memory of 2276	2172	Igcoqocb.exe	111
PID 2172 wrote to memory of 2276	2172	Igcoqocb.exe	111
PID 2172 wrote to memory of 2276	2172	Igcoqocb.exe	111
PID 2276 wrote to memory of 3796	2276	Ibicnh32.exe	112
PID 2276 wrote to memory of 3796	2276	Ibicnh32.exe	112
PID 2276 wrote to memory of 3796	2276	Ibicnh32.exe	112
PID 3796 wrote to memory of 2028	3796	Iomcgl32.exe	113
PID 3796 wrote to memory of 2028	3796	Iomcgl32.exe	113
PID 3796 wrote to memory of 2028	3796	Iomcgl32.exe	113
PID 2028 wrote to memory of 4144	2028	Iiehpahb.exe	114
PID 2028 wrote to memory of 4144	2028	Iiehpahb.exe	114
PID 2028 wrote to memory of 4144	2028	Iiehpahb.exe	114
PID 4144 wrote to memory of 692	4144	Ibnligoc.exe	115
PID 4144 wrote to memory of 692	4144	Ibnligoc.exe	115
PID 4144 wrote to memory of 692	4144	Ibnligoc.exe	115
PID 692 wrote to memory of 872	692	Igjeanmj.exe	116

C:\Users\Admin\AppData\Local\Temp\5cbd72b5758ad122d1c39717631aba62fffa96e13812af98f88b3b8a20b3903e.exe
"C:\Users\Admin\AppData\Local\Temp\5cbd72b5758ad122d1c39717631aba62fffa96e13812af98f88b3b8a20b3903e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:984
- C:\Windows\SysWOW64\Fnckpmql.exe
  C:\Windows\system32\Fnckpmql.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\Gochjpho.exe
    C:\Windows\system32\Gochjpho.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:264
  - - C:\Windows\SysWOW64\Gkjhoq32.exe
      C:\Windows\system32\Gkjhoq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Windows\SysWOW64\Gafmaj32.exe
        
        C:\Windows\system32\Gafmaj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4392
      - C:\Windows\SysWOW64\Ghpendjj.exe
        
        C:\Windows\system32\Ghpendjj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Gahjgj32.exe
        
        C:\Windows\system32\Gahjgj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Ggeboaob.exe
        
        C:\Windows\system32\Ggeboaob.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Hdicienl.exe
        
        C:\Windows\system32\Hdicienl.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Hoogfnnb.exe
        
        C:\Windows\system32\Hoogfnnb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Hdlpneli.exe
        
        C:\Windows\system32\Hdlpneli.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Hkehkocf.exe
        
        C:\Windows\system32\Hkehkocf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Hglipp32.exe
        
        C:\Windows\system32\Hglipp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Hfningai.exe
        
        C:\Windows\system32\Hfningai.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Hofmfmhj.exe
        
        C:\Windows\system32\Hofmfmhj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3868
        
        C:\Windows\SysWOW64\Hfpecg32.exe
        
        C:\Windows\system32\Hfpecg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Iohjlmeg.exe
        
        C:\Windows\system32\Iohjlmeg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Igcoqocb.exe
        
        C:\Windows\system32\Igcoqocb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Ibicnh32.exe
        
        C:\Windows\system32\Ibicnh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Iomcgl32.exe
        
        C:\Windows\system32\Iomcgl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Iiehpahb.exe
        
        C:\Windows\system32\Iiehpahb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Ibnligoc.exe
        
        C:\Windows\system32\Ibnligoc.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\SysWOW64\Igjeanmj.exe
        
        C:\Windows\system32\Igjeanmj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Indmnh32.exe
        
        C:\Windows\system32\Indmnh32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Ienekbld.exe
        
        C:\Windows\system32\Ienekbld.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\Jodjhkkj.exe
        
        C:\Windows\system32\Jodjhkkj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Jecofa32.exe
        
        C:\Windows\system32\Jecofa32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Jnkcogno.exe
        
        C:\Windows\system32\Jnkcogno.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Jgdhgmep.exe
        
        C:\Windows\system32\Jgdhgmep.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\Jicdap32.exe
        
        C:\Windows\system32\Jicdap32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Jfgdkd32.exe
        
        C:\Windows\system32\Jfgdkd32.exe
        31⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\SysWOW64\Knbiofhg.exe
        
        C:\Windows\system32\Knbiofhg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\Kpbfii32.exe
        
        C:\Windows\system32\Kpbfii32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Kflnfcgg.exe
        
        C:\Windows\system32\Kflnfcgg.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Kngcje32.exe
        
        C:\Windows\system32\Kngcje32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\Kimghn32.exe
        
        C:\Windows\system32\Kimghn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Kfqgab32.exe
        
        C:\Windows\system32\Kfqgab32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Kiodmn32.exe
        
        C:\Windows\system32\Kiodmn32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Lhdqnj32.exe
        
        C:\Windows\system32\Lhdqnj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\Lidmhmnp.exe
        
        C:\Windows\system32\Lidmhmnp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2712
        
        C:\Windows\SysWOW64\Lnqeqd32.exe
        
        C:\Windows\system32\Lnqeqd32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\Lfjjga32.exe
        
        C:\Windows\system32\Lfjjga32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Lihfcm32.exe
        
        C:\Windows\system32\Lihfcm32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\Lflgmqhd.exe
        
        C:\Windows\system32\Lflgmqhd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\Llipehgk.exe
        
        C:\Windows\system32\Llipehgk.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\Leadnm32.exe
        
        C:\Windows\system32\Leadnm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Medqcmki.exe
        
        C:\Windows\system32\Medqcmki.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:772
        
        C:\Windows\SysWOW64\Mpieqeko.exe
        
        C:\Windows\system32\Mpieqeko.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Mefmimif.exe
        
        C:\Windows\system32\Mefmimif.exe
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5144
        
        C:\Windows\SysWOW64\Mlpeff32.exe
        
        C:\Windows\system32\Mlpeff32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5192
        
        C:\Windows\SysWOW64\Mehjol32.exe
        
        C:\Windows\system32\Mehjol32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Mpnnle32.exe
        
        C:\Windows\system32\Mpnnle32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Mpqkad32.exe
        
        C:\Windows\system32\Mpqkad32.exe
        53⤵
        Executes dropped EXE
        
        PID:5316
        
        C:\Windows\SysWOW64\Niipjj32.exe
        
        C:\Windows\system32\Niipjj32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\SysWOW64\Neppokal.exe
        
        C:\Windows\system32\Neppokal.exe
        55⤵
        Executes dropped EXE
        
        PID:5452
        
        C:\Windows\SysWOW64\Npedmdab.exe
        
        C:\Windows\system32\Npedmdab.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Nebmekoi.exe
        
        C:\Windows\system32\Nebmekoi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5536
        
        C:\Windows\SysWOW64\Npgabc32.exe
        
        C:\Windows\system32\Npgabc32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Ngaionfl.exe
        
        C:\Windows\system32\Ngaionfl.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5624
        
        C:\Windows\SysWOW64\Nlnbgddc.exe
        
        C:\Windows\system32\Nlnbgddc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5704
        
        C:\Windows\SysWOW64\Ngdfdmdi.exe
        
        C:\Windows\system32\Ngdfdmdi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5740
        
        C:\Windows\SysWOW64\Nheble32.exe
        
        C:\Windows\system32\Nheble32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5780
        
        C:\Windows\SysWOW64\Ogfcjm32.exe
        
        C:\Windows\system32\Ogfcjm32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5828
        
        C:\Windows\SysWOW64\Oghppm32.exe
        
        C:\Windows\system32\Oghppm32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5872
        
        C:\Windows\SysWOW64\Oocddono.exe
        
        C:\Windows\system32\Oocddono.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Oenlqi32.exe
        
        C:\Windows\system32\Oenlqi32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5964
        
        C:\Windows\SysWOW64\Ohlimd32.exe
        
        C:\Windows\system32\Ohlimd32.exe
        67⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\Oofaiokl.exe
        
        C:\Windows\system32\Oofaiokl.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Oepifi32.exe
        
        C:\Windows\system32\Oepifi32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Oohnonij.exe
        
        C:\Windows\system32\Oohnonij.exe
        70⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Ogpepl32.exe
        
        C:\Windows\system32\Ogpepl32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Ojnblg32.exe
        
        C:\Windows\system32\Ojnblg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Ophjiaql.exe
        
        C:\Windows\system32\Ophjiaql.exe
        73⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\Ocffempp.exe
        
        C:\Windows\system32\Ocffempp.exe
        74⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\Pedbahod.exe
        
        C:\Windows\system32\Pedbahod.exe
        75⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Ploknb32.exe
        
        C:\Windows\system32\Ploknb32.exe
        76⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Pcicklnn.exe
        
        C:\Windows\system32\Pcicklnn.exe
        77⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\Ppmcdq32.exe
        
        C:\Windows\system32\Ppmcdq32.exe
        78⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Pfillg32.exe
        
        C:\Windows\system32\Pfillg32.exe
        79⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\Plcdiabk.exe
        
        C:\Windows\system32\Plcdiabk.exe
        80⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Pcmlfl32.exe
        
        C:\Windows\system32\Pcmlfl32.exe
        81⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\Pflibgil.exe
        
        C:\Windows\system32\Pflibgil.exe
        82⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\Pleaoa32.exe
        
        C:\Windows\system32\Pleaoa32.exe
        83⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Pcpikkge.exe
        
        C:\Windows\system32\Pcpikkge.exe
        84⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\Pgkelj32.exe
        
        C:\Windows\system32\Pgkelj32.exe
        85⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\Pqcjepfo.exe
        
        C:\Windows\system32\Pqcjepfo.exe
        86⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\Qcbfakec.exe
        
        C:\Windows\system32\Qcbfakec.exe
        87⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Qfpbmfdf.exe
        
        C:\Windows\system32\Qfpbmfdf.exe
        88⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Qhonib32.exe
        
        C:\Windows\system32\Qhonib32.exe
        89⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\Qcdbfk32.exe
        
        C:\Windows\system32\Qcdbfk32.exe
        90⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\Qfbobf32.exe
        
        C:\Windows\system32\Qfbobf32.exe
        91⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\Qhakoa32.exe
        
        C:\Windows\system32\Qhakoa32.exe
        92⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\Qqhcpo32.exe
        
        C:\Windows\system32\Qqhcpo32.exe
        93⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Acgolj32.exe
        
        C:\Windows\system32\Acgolj32.exe
        94⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Amodep32.exe
        
        C:\Windows\system32\Amodep32.exe
        95⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\Acilajpk.exe
        
        C:\Windows\system32\Acilajpk.exe
        96⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Ahfdjanb.exe
        
        C:\Windows\system32\Ahfdjanb.exe
        97⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\Ackigjmh.exe
        
        C:\Windows\system32\Ackigjmh.exe
        98⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Aihaoqlp.exe
        
        C:\Windows\system32\Aihaoqlp.exe
        99⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\Aobilkcl.exe
        
        C:\Windows\system32\Aobilkcl.exe
        100⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\Agiamhdo.exe
        
        C:\Windows\system32\Agiamhdo.exe
        101⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Aijnep32.exe
        
        C:\Windows\system32\Aijnep32.exe
        102⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\Aqaffn32.exe
        
        C:\Windows\system32\Aqaffn32.exe
        103⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\Acpbbi32.exe
        
        C:\Windows\system32\Acpbbi32.exe
        104⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Afnnnd32.exe
        
        C:\Windows\system32\Afnnnd32.exe
        105⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\Amhfkopc.exe
        
        C:\Windows\system32\Amhfkopc.exe
        106⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\Bogcgj32.exe
        
        C:\Windows\system32\Bogcgj32.exe
        107⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\Bfqkddfd.exe
        
        C:\Windows\system32\Bfqkddfd.exe
        108⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\Bmkcqn32.exe
        
        C:\Windows\system32\Bmkcqn32.exe
        109⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\Bcelmhen.exe
        
        C:\Windows\system32\Bcelmhen.exe
        110⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\Bfchidda.exe
        
        C:\Windows\system32\Bfchidda.exe
        111⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\Bmmpfn32.exe
        
        C:\Windows\system32\Bmmpfn32.exe
        112⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\Bgbdcgld.exe
        
        C:\Windows\system32\Bgbdcgld.exe
        113⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\Bjaqpbkh.exe
        
        C:\Windows\system32\Bjaqpbkh.exe
        114⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Bidqko32.exe
        
        C:\Windows\system32\Bidqko32.exe
        115⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Bqkill32.exe
        
        C:\Windows\system32\Bqkill32.exe
        116⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\Bfhadc32.exe
        
        C:\Windows\system32\Bfhadc32.exe
        117⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\Bppfmigl.exe
        
        C:\Windows\system32\Bppfmigl.exe
        118⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Bggnof32.exe
        
        C:\Windows\system32\Bggnof32.exe
        119⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\Bjfjka32.exe
        
        C:\Windows\system32\Bjfjka32.exe
        120⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\Cqpbglno.exe
        
        C:\Windows\system32\Cqpbglno.exe
        121⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Cgjjdf32.exe
        
        C:\Windows\system32\Cgjjdf32.exe
        122⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\Cikglnkj.exe
        
        C:\Windows\system32\Cikglnkj.exe
        123⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\Cjjcfabm.exe
        
        C:\Windows\system32\Cjjcfabm.exe
        124⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\Ccchof32.exe
        
        C:\Windows\system32\Ccchof32.exe
        125⤵
        
        PID:60
        
        C:\Windows\SysWOW64\Cippgm32.exe
        
        C:\Windows\system32\Cippgm32.exe
        126⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\Cgqqdeod.exe
        
        C:\Windows\system32\Cgqqdeod.exe
        127⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\Caienjfd.exe
        
        C:\Windows\system32\Caienjfd.exe
        128⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\Ccgajfeh.exe
        
        C:\Windows\system32\Ccgajfeh.exe
        129⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Cjaifp32.exe
        
        C:\Windows\system32\Cjaifp32.exe
        130⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\Dakacjdb.exe
        
        C:\Windows\system32\Dakacjdb.exe
        131⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\Dgejpd32.exe
        
        C:\Windows\system32\Dgejpd32.exe
        132⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\Dannij32.exe
        
        C:\Windows\system32\Dannij32.exe
        133⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\Dfjgaq32.exe
        
        C:\Windows\system32\Dfjgaq32.exe
        134⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\Diicml32.exe
        
        C:\Windows\system32\Diicml32.exe
        135⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Dhjckcgi.exe
        
        C:\Windows\system32\Dhjckcgi.exe
        136⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\Dabhdinj.exe
        
        C:\Windows\system32\Dabhdinj.exe
        137⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Dhlpqc32.exe
        
        C:\Windows\system32\Dhlpqc32.exe
        138⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\Dinmhkke.exe
        
        C:\Windows\system32\Dinmhkke.exe
        139⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\Daediilg.exe
        
        C:\Windows\system32\Daediilg.exe
        140⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\Ddcqedkk.exe
        
        C:\Windows\system32\Ddcqedkk.exe
        141⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\Dfamapjo.exe
        
        C:\Windows\system32\Dfamapjo.exe
        142⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Djmibn32.exe
        
        C:\Windows\system32\Djmibn32.exe
        143⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\Ehailbaa.exe
        
        C:\Windows\system32\Ehailbaa.exe
        144⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\Efdjgo32.exe
        
        C:\Windows\system32\Efdjgo32.exe
        145⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\Emnbdioi.exe
        
        C:\Windows\system32\Emnbdioi.exe
        146⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\Eplnpeol.exe
        
        C:\Windows\system32\Eplnpeol.exe
        147⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\Efffmo32.exe
        
        C:\Windows\system32\Efffmo32.exe
        148⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Ealkjh32.exe
        
        C:\Windows\system32\Ealkjh32.exe
        149⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\Efhcbodf.exe
        
        C:\Windows\system32\Efhcbodf.exe
        150⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\Emehdh32.exe
        
        C:\Windows\system32\Emehdh32.exe
        151⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\Ehjlaaig.exe
        
        C:\Windows\system32\Ehjlaaig.exe
        152⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\Fkihnmhj.exe
        
        C:\Windows\system32\Fkihnmhj.exe
        153⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\Fphnlcdo.exe
        
        C:\Windows\system32\Fphnlcdo.exe
        154⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\Fhofmq32.exe
        
        C:\Windows\system32\Fhofmq32.exe
        155⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Fagjfflb.exe
        
        C:\Windows\system32\Fagjfflb.exe
        156⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\Gkdhjknm.exe
        
        C:\Windows\system32\Gkdhjknm.exe
        157⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\Gaopfe32.exe
        
        C:\Windows\system32\Gaopfe32.exe
        158⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\Ghhhcomg.exe
        
        C:\Windows\system32\Ghhhcomg.exe
        159⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\Gijekg32.exe
        
        C:\Windows\system32\Gijekg32.exe
        160⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\Gpcmga32.exe
        
        C:\Windows\system32\Gpcmga32.exe
        161⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\Ggnedlao.exe
        
        C:\Windows\system32\Ggnedlao.exe
        162⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\Gnhnaf32.exe
        
        C:\Windows\system32\Gnhnaf32.exe
        163⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\Gpfjma32.exe
        
        C:\Windows\system32\Gpfjma32.exe
        164⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\Ggpbjkpl.exe
        
        C:\Windows\system32\Ggpbjkpl.exe
        165⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\Gnjjfegi.exe
        
        C:\Windows\system32\Gnjjfegi.exe
        166⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\Gphgbafl.exe
        
        C:\Windows\system32\Gphgbafl.exe
        167⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\Ggbook32.exe
        
        C:\Windows\system32\Ggbook32.exe
        168⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\Gknkpjfb.exe
        
        C:\Windows\system32\Gknkpjfb.exe
        169⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\Gahcmd32.exe
        
        C:\Windows\system32\Gahcmd32.exe
        170⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\Hgelek32.exe
        
        C:\Windows\system32\Hgelek32.exe
        171⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\Hnodaecc.exe
        
        C:\Windows\system32\Hnodaecc.exe
        172⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\Hjedffig.exe
        
        C:\Windows\system32\Hjedffig.exe
        173⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\Hgiepjga.exe
        
        C:\Windows\system32\Hgiepjga.exe
        174⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\Haoimcgg.exe
        
        C:\Windows\system32\Haoimcgg.exe
        175⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\Hhiajmod.exe
        
        C:\Windows\system32\Hhiajmod.exe
        176⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Hnfjbdmk.exe
        
        C:\Windows\system32\Hnfjbdmk.exe
        177⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\Hdpbon32.exe
        
        C:\Windows\system32\Hdpbon32.exe
        178⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\Hnhghcki.exe
        
        C:\Windows\system32\Hnhghcki.exe
        179⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\Ihnkel32.exe
        
        C:\Windows\system32\Ihnkel32.exe
        180⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\Iklgah32.exe
        
        C:\Windows\system32\Iklgah32.exe
        181⤵
        
        PID:7828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dabhdinj.exe

Filesize
199KB

MD5
d813ee553f77e5d7f4d209dada1a6bf8

SHA1
091591beaf24f06f3c74ca4b1220262df51906b4

SHA256
8fbb016ffccc7b81a6da47f0680259fbdae4433ad572c1a5eaad91b7c68b106c

SHA512
b7e746800594e69df45db79028bdc4d70bb5b389a6f68c667aecb4003b12d79831410ff8655744e7512b3e84b2ac57a855db3ddc32726985631ac351ea6e5089

Download Submit
C:\Windows\SysWOW64\Fnckpmql.exe

Filesize
199KB

MD5
fb5b7ce5c42cd7c069703bd17fe305a1

SHA1
ff41f163174606d25f70f86a75f87ff25f129c9d

SHA256
0bd16ffbc50acaec909b4e6bbdb1ce79078926c924f466a819f8943dee646d0e

SHA512
5f5c5f372e339e92e98a32c8a44de0bac68f240374df864c4b644e2fcb3a5d467ac2f95cf4f5aa2ffd21747d6f77f0aa051044e816a106350d00166f561791df

Download Submit
C:\Windows\SysWOW64\Gafmaj32.exe

Filesize
199KB

MD5
bcdb98b6c3fe048f7c66dced9312a8a6

SHA1
87052fccd1b35f9bff84955ab16856313f99c980

SHA256
6be3f902ce433befad5b90f58b2278b66d78f679e89bf56403e5d5c5d70df335

SHA512
2ed84fd79c4b035bb88b3dc4e7780adf68cfc401c2488a26143765608d7b6f28bc9c2f8193d3ff3fca9f335b4f363d05ec047fc5e7f8d1cc14cad0e072614b52

Download Submit
C:\Windows\SysWOW64\Gahcmd32.exe

Filesize
199KB

MD5
47dbd11f8c6d586e962fa51258a65823

SHA1
0b03ed2def80148472d675ee8b02d228c48393fc

SHA256
3e534e5115bbfbfc82bdacfb111b96a7502f737829ee85128a1d7f24cb4a6a46

SHA512
7644a84d0fba42b22d9307a772e0029452df0f6cccd554625525220009ce9de10580640f9d4c1be577f63bee98d1b617d8b68d1d96a062a598bb20af66a02704

Download Submit
C:\Windows\SysWOW64\Gahjgj32.exe

Filesize
199KB

MD5
ec1d16ec1c4d7a3c7d3e3a04369b1fa4

SHA1
e62f68b45991cdb03288a9873259f2ca540d63ac

SHA256
286d430b7b0514ac57e0a1206f93d539e9541b2cbff76d49189876fba191d723

SHA512
500e8deeff14f5d3d2db5d26337a40830ffaee1d95aae291470b6159020801a552e80eb9313281659e7e38470dac9134020c7a8b8fdf8e378fafb9d826dbbab2

Download Submit
C:\Windows\SysWOW64\Ggeboaob.exe

Filesize
199KB

MD5
04193aa3cf18c3dbeca49bc1ef23ea1b

SHA1
38003ed4b6d8b90f0097bf6b23e1e30cf0ea1cf0

SHA256
284cd71bf6b522caddc5838fcdcddbc017931cb6b48bb9220a38a16edda32a50

SHA512
6566f3e162643b96802e8faa58a21a5a4473aa3f2f47648fd95ea4a870b7679c4c88ac47b04727509c15c4a3d048e5f6dda70c7eb76b6b124c171b1ccadf8eea

Download Submit
C:\Windows\SysWOW64\Ghpendjj.exe

Filesize
199KB

MD5
00efb339996187c61deaccd38dee6739

SHA1
7608451d4fa234be0485817aeefa32e0e6855e8a

SHA256
99f25181ce0780c179a1fb0e2ac0d838b51b5dbb94e8c8cda60638c85678a79a

SHA512
b8933b85f9db83e512475c93ea1c284ee68751b85a355a5a0d46d8885d37062f9c6143dd09fee2050b6cc81a639eed9f8f831ed482040945da4316d917abfd7f

Download Submit
C:\Windows\SysWOW64\Gkdhjknm.exe

Filesize
199KB

MD5
76d3949fbdb125d70c4f869f721a2056

SHA1
d111d4342ebd636b7c0080867d3e5c04e73ee2a7

SHA256
877757b6f75b079002daf813b92b15d37cf42cca7d6e972760c09acde6c9ede2

SHA512
e789d7949d2de8f2dbe529f4affe53e2f13da19fa43d62918e10559dda434b074ee6bb61687911ef969f8ccb347c514484b69087e1e8de5124456ffd2aceb9ec

Download Submit
C:\Windows\SysWOW64\Gkjhoq32.exe

Filesize
199KB

MD5
263d85a4ff2320568b31f0f45b560fde

SHA1
e76ac4882376d97ab33957b1adead0aaae980b99

SHA256
3014aa6b9d3646680519b4f84486ab8557c6182e9625db3be49211c5016790f8

SHA512
b58a6deadaa12ca2158b5ba8433270f4a8e20ef3e79a039c2282a93df1e973e3243810c5e8da562afddf29589fb85016e4e871c056c482187b5d012a57606a19

Download Submit
C:\Windows\SysWOW64\Gochjpho.exe

Filesize
199KB

MD5
f0cf12b201dd55f1212076691590fea4

SHA1
abc30d5f8a09a64d082d724b840265aa3cbf5a0c

SHA256
ea6643980ac302f21d44a4ae000941d2006c899a6dfe7a50f93d1738631e49b7

SHA512
b0b46747aebfc53cae72dba394623a5dcefcf67f3278579f514fe1b4880b79c5088bb5c67bd303cf1c191e5eb8a3ce6e6faf1e6ea71dd9005a9a3caa148c6172

Download Submit
C:\Windows\SysWOW64\Hdicienl.exe

Filesize
199KB

MD5
ca2b8d55ff2f7575b68484e9544d8591

SHA1
67690333f79b95da3fedfc38cf09417af42421c8

SHA256
22072a3d2bb347c7a693de75093aaecc1a647b5b7f49f6ec56e8d827d201e3b7

SHA512
0bdd6758ca0606ac90702a896631c62ddee240976f40eda1ea52d5346baab57c599db83966e5675749faedd98cc860fd13baedfca0592293417c361619cd42f1

Download Submit
C:\Windows\SysWOW64\Hdlpneli.exe

Filesize
199KB

MD5
37ab6a3366f4f47c8a0ec7b1b2d310d9

SHA1
515e1bf6184c3211ff1199bf7ea1120828ebb88f

SHA256
a8ce6bf99d3f687f6ee3b16720d314c21feb86c6062facad93f205064fb79c30

SHA512
2ff9129b98f18554880d199f02a5c869075aac06aaabb9f5d79ecb90d3a95e5e51202e09be4a80dd33782d848eed09aa70a68256515a790872e37fa0bdcd8529

Download Submit
C:\Windows\SysWOW64\Hfningai.exe

Filesize
199KB

MD5
c8426873fb471d4a86e199048571e925

SHA1
c0e833b4304ef4d7c2e93fbe93be85c8a01ecfcc

SHA256
0100050158c437e04d437d616541c236c0d0511c7bbc4f57cd7637e6ae2da5b3

SHA512
d3c332c70dfacfe634b3591e4e9d8d39ea21ade11b740dad9f34146b3c1637bd75e8c9bfb17580a00aea9c8036418c321e9c4f1103a8b548a4c8390c707e82ff

Download Submit
C:\Windows\SysWOW64\Hglipp32.exe

Filesize
199KB

MD5
cdc7b4df48ac76cd13a0c7f69b473b71

SHA1
7d392ac8b23370bef600126716969ce590db651b

SHA256
688168e1149cc06a0abeafaad6cff6ab2d98d00197063de7652fd894225360b3

SHA512
16b4fbcfc798c73648184de2768a2b13d1525ffe592dd4119ff1aa18776fe0b998fc4b52ec6ab25a5d00a08d38255328c230b6e2412de97d7a106a55e36ee69e

Download Submit
C:\Windows\SysWOW64\Hkehkocf.exe

Filesize
199KB

MD5
106cd8fa574643e64928ab12f12ac863

SHA1
e6627ebe91d8fa2f231eddea8a88bcbfd2b91061

SHA256
f39f860a21bd59242ba32a034f4167eac8ab2fa0d2f187588a257c129ffc2826

SHA512
feb0fdf22c975d4fe0761675f6660eb4958a643ce888bf66235f62d33991afba1b8efc5ee624f3276412eb74be18be0e17ce2db627c0e2c48cad754c2a011938

Download Submit
C:\Windows\SysWOW64\Hnodaecc.exe

Filesize
199KB

MD5
43a98fa6eb4fbd669e157b381dc55b86

SHA1
57f7244a158061d4e1e51d988a6d64ca2639f35f

SHA256
57ccd4a58d9a0ff28aea77457c40454372e7fc6eeb9e7bfe3f97845457d4f069

SHA512
df4df1b0a6bfc9399b9a6c298de555b3a4c604c4813b9bab3800aae86441bb060c0361002335e6f783be25a95219f6df04951aaae53d5b2de5f3693c0e9e87e1

Download Submit
C:\Windows\SysWOW64\Hofmfmhj.exe

Filesize
199KB

MD5
b251f7ea0f6fee5b6c377a0ee3bad128

SHA1
8bae823c6258e4a6cb61dcd2187ed9cc155a4250

SHA256
1604e0a90c6413b7d3af63a271cb7b6f237b4fe5ed08e73267810e86610038e4

SHA512
966a4a6d3a5bb44ea93f7d5b29d36fb86c7b250a78be92553467f4e8172f29b99292fc93c71bb365a372ed255b9ad390f77666b9466250c4ece28938cac3f3d6

Download Submit
C:\Windows\SysWOW64\Hoogfnnb.exe

Filesize
199KB

MD5
d7ac80e33b9eba695e0dc51a60146def

SHA1
4ab23098ccc532c5aa9b1c00bd51cfbe2be23b73

SHA256
00d4a8d455cfc66a7bfb16b7cd8d318fca63a3c2618b3bc21c26a0349f4ba62a

SHA512
f568353c807e43b733d2ead9a11e7f3253da75d15bd1215d95d4c624e6a39cbd40d446d6fae31a779aed50df4105e2f133aa87f980796d2ce95521b95419f003

Download Submit
C:\Windows\SysWOW64\Ibicnh32.exe

Filesize
199KB

MD5
c99ffab6383713eb09ac599c49f37fdb

SHA1
6a2942740c841ce73e1ce642fa4c7e7723158081

SHA256
99d2c0ea01abfe2199191d4ed92518d7f4aa2b753bb4ea14b8e2bbfeae72ae4a

SHA512
6a4c6f2c705c21742265e14dc05ac762f8b67bd72c92d92995b9a110a8a3cd45abe15ce72a122380dda2bd477b4dc636df8dbfc30e7eef38e80c47015ad71fc6

Download Submit
C:\Windows\SysWOW64\Ibnligoc.exe

Filesize
199KB

MD5
7bcc78220cdba81d61c48f5d8123558f

SHA1
1e9c231fd93a7f3df4bfe09caed16d323c9db38f

SHA256
0da4153d92b25beeb2860d1a7c050e87bcc9ba9bc69dc257dd5e7db71dc29768

SHA512
f9cbea64d57aaac2f240af4d01c75f1be8bccd4d254f964797b1443e27ea0c479e323edf4ae4af34e021cd44a8f613d0280cfbf8ffb93d78f6c12bbf81925c7e

Download Submit
C:\Windows\SysWOW64\Ienekbld.exe

Filesize
199KB

MD5
a3409d5e13e4246b91bd6f980a287cc6

SHA1
d23082ee0a69c1bf68092ae2bbe241c5791fd129

SHA256
15a7ba4925b64c11310ab13f0de77acaef56ea0f023cbb86f2ba28d18593b68b

SHA512
6212ed6e8514e112b94d10d154cb87cf5341752ed113ef169dbc378b5e97ec3cd132b877072c1aa744697941c4ecae68e768743012b0c764bcff451602eb4adb

Download Submit
C:\Windows\SysWOW64\Igcoqocb.exe

Filesize
199KB

MD5
3b02afefb85835553bf6a8fc7f73d36f

SHA1
9888fc52ab4e33486d314ba00beaeef08c7ecce8

SHA256
099d90839e53d7469c44533a466d09ae5d26fb0436aa1b0243b15386e54acba7

SHA512
d6735fedb24cd1eafee50f259323b82db053cfcc6918ddcdfeeb1a4b494398aa54a7af7a9476ce3544d132071af553ffd8385e2eb3535479798c4639d8f3012c

Download Submit
C:\Windows\SysWOW64\Igjeanmj.exe

Filesize
199KB

MD5
b6fa85d0b16f92c23e4da765505c28c9

SHA1
c66278299ed1439a2a8e5470eb928c2031c82af1

SHA256
5ca3f04658e5fa8ef68ee19fd48a40a30d6b70b38290f1a02cd3a747da3260c1

SHA512
db3b6f5870cdaa720bacfb63027b01e68424aa0f0ee4371b5d762ca983965e6dc5249240505aac761f269bea0fc784b781e6e40b4536168b3ffce89b638946b0

Download Submit
C:\Windows\SysWOW64\Iiehpahb.exe

Filesize
199KB

MD5
8f867f0c89f769afd08683c58ea8344a

SHA1
b9060cbefd837472e6d0be5bb7f06a9b05bfa57f

SHA256
499d76f5445f33fdb0237e87f0a58d3de8e0376f3a4ace72f70fd5adda275b98

SHA512
2e18e906b3ec26c911304b40666432e59889fac9113b6d2ca924778bcef3cd58245aeaa155558fd95b0c7abb62a440ec21dcd65ff9ad2f08f9bb4edc448a4d74

Download Submit
C:\Windows\SysWOW64\Indmnh32.exe

Filesize
199KB

MD5
c716f50ba294cfd8b5f6129db5943c83

SHA1
3aa8b33d9f18663e3790a410f4d662aa209cf74e

SHA256
a08f7797084a1924f2704fd94dc0173fd9b2483d247e84c033d7ffec9a586548

SHA512
6b48df2d7bd6071d39f6c894c89372616da082aeb24a7d8c72063ecc2aa4aabce8f1f2d313b34d1a7a12bdc49aaeb60085c19dcf09299ccfabd633ccf36338a1

Download Submit
C:\Windows\SysWOW64\Iohjlmeg.exe

Filesize
199KB

MD5
d627dd3a100ac6468348f99ecd27a472

SHA1
cdc49e433ffae4cf4bde4e3e23613669aeccb887

SHA256
999d532262e309cdac4be4c26e7a006c4634279d3f8d111d1dca3b95d2a0f75b

SHA512
97c7bb0d1ea220070319634f7c77a3a947e749b48316c60c4ba57a61057018b482a807b2ac13c44045e80e1d421728619f35d90cf1cc77136cd693cd05b0b7df

Download Submit
C:\Windows\SysWOW64\Iomcgl32.exe

Filesize
199KB

MD5
594b391a250c45151522ef28f43b71c4

SHA1
d9c63bdc0656904b99b44d23ee9a6e5784f73627

SHA256
081096d6db9ff343c2220f65f5d30c7e1397496b3fbdf5f728b55a747de98f67

SHA512
6c7649d6ce9a35a22bc7a5d7709ba69a75a79ef6d689919cb039ccd496c5b8db8483be1b410dcf6ac5f87ed6539ff36a55255e1b1125fd1a21b9db719f2e4c8c

Download Submit
C:\Windows\SysWOW64\Jecofa32.exe

Filesize
199KB

MD5
2c25b8d6cd6d3f84293ea0c6eba23e12

SHA1
3d2da9151a3ed56777f0e404268afc9300194aa1

SHA256
e882bb8a77a7e6de004cb41df7f0fe424cbb76e25b3d612ab0a4f62968f13bc8

SHA512
09f9aa3ae4a7e140a4e89e1b1261e01f6a7ffd3ba998a3ce8ebf98d0c6cdb1f0b5daca2b20ed41c8b0f6ff5e8bbe63570884a8e2f497c957485c44e5322f3c3a

Download Submit
C:\Windows\SysWOW64\Jfgdkd32.exe

Filesize
199KB

MD5
0adba551dfcd2f1afae2ff309435e406

SHA1
679e6233820ae4c669eaa8ffcf67d18b6abdf345

SHA256
c830346ff70226b2a2e584b4ca4a888738776eb98677ec648bbc4ac384cba189

SHA512
ee3e7190d71b255b31e6e083253868796254525c28b6c64751debf42d42ffe04a50bb682dff4f03dbdd6d9e9ea1428dd37d035530505f0a54ce5043eaae731c9

Download Submit
C:\Windows\SysWOW64\Jgdhgmep.exe

Filesize
199KB

MD5
13812b72d73f9368639a026b66557439

SHA1
98d501e4a5aba11d8f958010ac5a1e8a7c52fd73

SHA256
cbc9b288e100980834abfa115a3e38a19c810e4b220e147908b4742f503c25c2

SHA512
642dfe7618001a506b69902189a58c8d770f53307324c7d76850438de0b3683a843b82ffe8c002e23e39329032008ea2670e16f1c37ebe3e7791c95cd1c4714c

Download Submit
C:\Windows\SysWOW64\Jicdap32.exe

Filesize
199KB

MD5
5beda99d08966af7aa85c8797201a2d7

SHA1
d9e07f5099addc5340ceccc34d81281bf3a804ff

SHA256
a327645d6606c2b26e0470e9f8d816a50e83db1b92d5ba786859b647feab7098

SHA512
acec38a982f2b492cfa0111f5f5a37db9c21a831a5da850c61cf595c676b27bd62b4ed9c56794da072e0aea434e2405f717cac7ebbb101bc44a50a417ba8cbe4

Download Submit
C:\Windows\SysWOW64\Jnkcogno.exe

Filesize
199KB

MD5
56ccfeec1fb0c25f1e39b18efa0b79b7

SHA1
b8df5b84aaef4bc61696d919e877c8ed0751899f

SHA256
7b375f32fcd645e23e7817da66963b9f836e7872953fc963c655a5dd4dd95a91

SHA512
8e48f7bd8eab7355672648b9d5e1f48b112c96c761aff95cc879d4af79a2efbe8302fb58cdf2e0cc757e48226bdbdc61748bfb7fe788476d12cf56f5ad832124

Download Submit
C:\Windows\SysWOW64\Jodjhkkj.exe

Filesize
199KB

MD5
411d8237c3d6b0be2661d3a62998279e

SHA1
bc4bbb0a0f9b42b8ec40213df528ee2457865cc1

SHA256
dad462b2f90cfb0e0fe1c6602b2ed37ab7dca8b4ee21266f4a578a889b007d82

SHA512
3b6e9c8d4dd9252fa255812dc8437c2716b7c8ab6c138db0da694d9597368d1a8e909a3b3bc736f8ef0042f026f6a8e7ad3be198df99cca3fbe263d825cc0a28

Download Submit
C:\Windows\SysWOW64\Kflnfcgg.exe

Filesize
199KB

MD5
49b145446afb4dc5e4c16d8f0235b92a

SHA1
f9b0e4d79bee1899e0ef030518f5464883ed62a7

SHA256
c562a2b1be65e1ab1d9fa29bbf20974cbad3e37484739cc11510fa83b41c84a9

SHA512
cf8b140960acc81afc4f7b6f9fa713deabcbd3bc1533242cd7f8834792d6b60542d7e62e2cc6c636f1fd7f600217ef7d786f439dd94d593febaa567a85b46c2f

Download Submit
C:\Windows\SysWOW64\Knbiofhg.exe

Filesize
199KB

MD5
8a6dc9693d5ded3cbf94b6d36d6e2229

SHA1
fdb6f8e1c791b784e31998b98da080c21357b3d0

SHA256
82b5229772aea65f83553bbccd0cfc6c9e116bdaacf1dbfbe9dfcfaf35eb778a

SHA512
1461fcf57015324997b9cbb102a7009739828ffb944a845f92bc46c96138d6d18f3ff4f6046bb7c114da431ee98206b2163a3b1b86f52e456a713f32071f54ff

Download Submit
C:\Windows\SysWOW64\Kngcje32.exe

Filesize
199KB

MD5
2100277b47f7dbeec78a22a48d5410c3

SHA1
d444578dc7bede97149b8f08eb2352e20f1a3f22

SHA256
8e8fcaee1405bcf11da179d3a9744a8eb5961bca0ea3124490f8abe16e9b91c1

SHA512
2ae2fd4a4672ba5ed1b5156770fe32ab0c8690b01a69f0f9c30356717f3d26ac5acfce15999f07bd49c36a30ba588ee95cbf6659b1d56d874beec1912a061758

Download Submit
C:\Windows\SysWOW64\Kpbfii32.exe

Filesize
199KB

MD5
9de711627083e4e0e5d32cc95c2d48bc

SHA1
19386cd2d24c1dbaafedc298cf03c03f3c25b8c9

SHA256
2105b5fb830a44c1a486f5a9251bc73573781ebc24ab5e4e86bc8dacd88c83fa

SHA512
5076c6d29bab13137bef1881cc2761fe5494b123e6ca53172d985f38448e0ba9bda3ae4f8f12c06f9ca9bcacb791f95890c4c08bcf5e86b6b8dee8e002b4a4e1

Download Submit
C:\Windows\SysWOW64\Oofaiokl.exe

Filesize
199KB

MD5
f06626db6df32769d3a244be5683d670

SHA1
67bbc23872ea73519bf14430d3c6dc07b5b7771d

SHA256
c2d4e3537462c17ad2bf25722925b762408ac371d95390fb369c1fc0f97f4f25

SHA512
ed1a7acc385c6261c1e9b788fc5ffdc180989ef4eb94ba5425c490d04c1b0195ff48ae7df45ffbc488146c8d3419af2ec7ceec38d52840fdacea3fe633e58073

Download Submit
memory/8-186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/212-301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/216-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/264-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/320-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/544-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/560-202-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-210-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/692-170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/772-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/872-182-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/984-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/984-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/984-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1508-218-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1532-106-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1676-271-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1956-265-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-77-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2172-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2212-194-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2276-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2392-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2712-295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3136-283-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3540-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3796-146-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3868-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3896-94-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3952-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3964-307-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3968-331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4144-162-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4392-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4440-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-114-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4564-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4576-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4584-289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4828-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-318-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5144-349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5192-355-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5236-361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5276-367-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5316-373-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5400-379-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5452-385-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5496-391-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5536-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5572-403-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5624-413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5704-415-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5740-421-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5780-427-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads