3a83f480f60f2414ba2563925d3385f5b3b574ae6df2cf00a0917c9218157edc

Analysis

max time kernel
9s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 19:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3a83f480f60f2414ba2563925d3385f5b3b574ae6df2cf00a0917c9218157edc.exe
Size

100KB
MD5

16ad319fdfb2dddec2533a949e1114ff
SHA1

959f611cb129888d688ff52d41f3746db2a62166
SHA256

3a83f480f60f2414ba2563925d3385f5b3b574ae6df2cf00a0917c9218157edc
SHA512

df264e7ffb82c877ff816a342a5d7472e703c9f310197c4eb3203548b893c7827636d892d4f43136d46ea159db0d3d62576a83a9e293bb4dbed2fc6e06672160
SSDEEP

1536:FWjGv/ctdcYv2NyOnokts3bKMcrhCxkMhiPWwC7DGsHgVFgblQQa3+om13XRzT:FWiv4fQs3bKFCJMGErgb3a3+X13XRzT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hbhboolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ioolkncg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knnhjcog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iomoenej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioolkncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcoaglhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjgeedch.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efblbbqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fechomko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnangaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gppcmeem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lqmmmmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eokqkh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enpmld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fneggdhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hidgai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iomoenej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gmojkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlepcdoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jljbeali.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjlopc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lokdnjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjlopc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljqhkckn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljceqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqmmmmph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dijbno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iibccgep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enpmld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gppcmeem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnepna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjpode32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lokdnjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efblbbqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbbpmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlglidlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcpjnjii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcpjnjii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3a83f480f60f2414ba2563925d3385f5b3b574ae6df2cf00a0917c9218157edc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlglidlo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcaknbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knenkbio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efpomccg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiaael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jekqmhia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fneggdhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlpfhe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hblkjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlepcdoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iibccgep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efpomccg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Emhkdmlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geaepk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Knenkbio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhkdmlg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gojiiafp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbhboolf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hidgai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Illfdc32.exe

Executes dropped EXE 50 IoCs

pid	Process
4420	Dijbno32.exe
3532	Emhkdmlg.exe
1716	Efpomccg.exe
3608	Efblbbqd.exe
5016	Eokqkh32.exe
2340	Enpmld32.exe
3540	Felbnn32.exe
1044	Fneggdhg.exe
4864	Fbbpmb32.exe
4252	Fechomko.exe
3292	Fiaael32.exe
2484	Gmojkj32.exe
444	Gfhndpol.exe
1624	Gppcmeem.exe
3716	Gnepna32.exe
1588	Geaepk32.exe
2432	Gojiiafp.exe
2992	Hbhboolf.exe
2404	Hlpfhe32.exe
4452	Hidgai32.exe
1928	Hblkjo32.exe
1452	Hlepcdoa.exe
4464	Hlglidlo.exe
2276	Ibcaknbi.exe
1156	Illfdc32.exe
3380	Iedjmioj.exe
4544	Iomoenej.exe
1416	Iibccgep.exe
4488	Ioolkncg.exe
3664	Ilcldb32.exe
4352	Jekqmhia.exe
2804	Jcoaglhk.exe
2904	Jofalmmp.exe
4856	Jljbeali.exe
3868	Jinboekc.exe
1720	Jjpode32.exe
716	Knnhjcog.exe
1640	Knqepc32.exe
4292	Kjgeedch.exe
4560	Kcpjnjii.exe
2596	Knenkbio.exe
2008	Kjlopc32.exe
4012	Lgpoihnl.exe
888	Lokdnjkg.exe
3148	Ljqhkckn.exe
2052	Ljceqb32.exe
4744	Lqmmmmph.exe
1828	Lnangaoa.exe
4288	Ljhnlb32.exe
940	Mgloefco.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mfbjdgmg.dll	Dijbno32.exe
File opened for modification	C:\Windows\SysWOW64\Fiaael32.exe	Fechomko.exe
File created	C:\Windows\SysWOW64\Hlglidlo.exe	Hlepcdoa.exe
File created	C:\Windows\SysWOW64\Jljbeali.exe	Jofalmmp.exe
File created	C:\Windows\SysWOW64\Bppgif32.dll	Kjgeedch.exe
File created	C:\Windows\SysWOW64\Knenkbio.exe	Kcpjnjii.exe
File created	C:\Windows\SysWOW64\Gfhndpol.exe	Gmojkj32.exe
File created	C:\Windows\SysWOW64\Ilcldb32.exe	Ioolkncg.exe
File opened for modification	C:\Windows\SysWOW64\Hlglidlo.exe	Hlepcdoa.exe
File opened for modification	C:\Windows\SysWOW64\Ibcaknbi.exe	Hlglidlo.exe
File created	C:\Windows\SysWOW64\Iibccgep.exe	Iomoenej.exe
File created	C:\Windows\SysWOW64\Jjpode32.exe	Jinboekc.exe
File opened for modification	C:\Windows\SysWOW64\Knnhjcog.exe	Jjpode32.exe
File created	C:\Windows\SysWOW64\Kjlopc32.exe	Knenkbio.exe
File created	C:\Windows\SysWOW64\Anoipp32.dll	Ljceqb32.exe
File created	C:\Windows\SysWOW64\Ljhnlb32.exe	Lnangaoa.exe
File created	C:\Windows\SysWOW64\Fechomko.exe	Fbbpmb32.exe
File created	C:\Windows\SysWOW64\Linhgilm.dll	Fbbpmb32.exe
File created	C:\Windows\SysWOW64\Jiejjepo.dll	Hidgai32.exe
File created	C:\Windows\SysWOW64\Migmpjdh.dll	Ilcldb32.exe
File created	C:\Windows\SysWOW64\Hicakqhn.dll	Jjpode32.exe
File opened for modification	C:\Windows\SysWOW64\Ljceqb32.exe	Ljqhkckn.exe
File created	C:\Windows\SysWOW64\Ebmenh32.dll	3a83f480f60f2414ba2563925d3385f5b3b574ae6df2cf00a0917c9218157edc.exe
File created	C:\Windows\SysWOW64\Cjafgpmo.dll	Felbnn32.exe
File opened for modification	C:\Windows\SysWOW64\Jekqmhia.exe	Ilcldb32.exe
File created	C:\Windows\SysWOW64\Knqepc32.exe	Knnhjcog.exe
File created	C:\Windows\SysWOW64\Illfdc32.exe	Ibcaknbi.exe
File created	C:\Windows\SysWOW64\Ioolkncg.exe	Iibccgep.exe
File created	C:\Windows\SysWOW64\Efblbbqd.exe	Efpomccg.exe
File opened for modification	C:\Windows\SysWOW64\Efblbbqd.exe	Efpomccg.exe
File created	C:\Windows\SysWOW64\Enpmld32.exe	Eokqkh32.exe
File created	C:\Windows\SysWOW64\Konidd32.dll	Fechomko.exe
File created	C:\Windows\SysWOW64\Ojmjcf32.dll	Gmojkj32.exe
File created	C:\Windows\SysWOW64\Geaepk32.exe	Gnepna32.exe
File created	C:\Windows\SysWOW64\Lqmmmmph.exe	Ljceqb32.exe
File created	C:\Windows\SysWOW64\Dckajh32.dll	Mgloefco.exe
File created	C:\Windows\SysWOW64\Gojiiafp.exe	Geaepk32.exe
File opened for modification	C:\Windows\SysWOW64\Jinboekc.exe	Jljbeali.exe
File created	C:\Windows\SysWOW64\Dmokdgeg.dll	Kjlopc32.exe
File created	C:\Windows\SysWOW64\Kfbdfl32.dll	Efblbbqd.exe
File opened for modification	C:\Windows\SysWOW64\Gppcmeem.exe	Gfhndpol.exe
File created	C:\Windows\SysWOW64\Jekqmhia.exe	Ilcldb32.exe
File opened for modification	C:\Windows\SysWOW64\Jljbeali.exe	Jofalmmp.exe
File opened for modification	C:\Windows\SysWOW64\Lnangaoa.exe	Lqmmmmph.exe
File created	C:\Windows\SysWOW64\Mogcihaj.exe	Mgloefco.exe
File created	C:\Windows\SysWOW64\Eokqkh32.exe	Efblbbqd.exe
File opened for modification	C:\Windows\SysWOW64\Felbnn32.exe	Enpmld32.exe
File created	C:\Windows\SysWOW64\Cikamapb.dll	Hblkjo32.exe
File created	C:\Windows\SysWOW64\Ibcaknbi.exe	Hlglidlo.exe
File created	C:\Windows\SysWOW64\Lokdnjkg.exe	Lgpoihnl.exe
File opened for modification	C:\Windows\SysWOW64\Lqmmmmph.exe	Ljceqb32.exe
File created	C:\Windows\SysWOW64\Fneggdhg.exe	Felbnn32.exe
File created	C:\Windows\SysWOW64\Hblkjo32.exe	Hidgai32.exe
File created	C:\Windows\SysWOW64\Hlepcdoa.exe	Hblkjo32.exe
File created	C:\Windows\SysWOW64\Fbqdpi32.dll	Iedjmioj.exe
File created	C:\Windows\SysWOW64\Anhejhfp.dll	Jcoaglhk.exe
File created	C:\Windows\SysWOW64\Dijbno32.exe	3a83f480f60f2414ba2563925d3385f5b3b574ae6df2cf00a0917c9218157edc.exe
File created	C:\Windows\SysWOW64\Hlpfhe32.exe	Hbhboolf.exe
File opened for modification	C:\Windows\SysWOW64\Iedjmioj.exe	Illfdc32.exe
File created	C:\Windows\SysWOW64\Ggpdhj32.dll	Gnepna32.exe
File opened for modification	C:\Windows\SysWOW64\Hblkjo32.exe	Hidgai32.exe
File opened for modification	C:\Windows\SysWOW64\Hlepcdoa.exe	Hblkjo32.exe
File opened for modification	C:\Windows\SysWOW64\Kjgeedch.exe	Knqepc32.exe
File created	C:\Windows\SysWOW64\Ndnljbeg.dll	Ljqhkckn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqehjpfj.dll"	Emhkdmlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hbhboolf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlepcdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlglidlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iibccgep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iibccgep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jekqmhia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbbpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgjamboa.dll"	Ibcaknbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhejhfp.dll"	Jcoaglhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljceqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3a83f480f60f2414ba2563925d3385f5b3b574ae6df2cf00a0917c9218157edc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Linhgilm.dll"	Fbbpmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfnmog32.dll"	Gfhndpol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Geaepk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcnla32.dll"	Hlepcdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooogokm.dll"	Knenkbio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpoihnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lokdnjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anoipp32.dll"	Ljceqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	3a83f480f60f2414ba2563925d3385f5b3b574ae6df2cf00a0917c9218157edc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efblbbqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lblldc32.dll"	Illfdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dckajh32.dll"	Mgloefco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbjdgmg.dll"	Dijbno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Konidd32.dll"	Fechomko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdfqocb.dll"	Hlpfhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlepcdoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Knnhjcog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpoihnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gojiiafp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jinboekc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fboqkn32.dll"	Lnangaoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpdhj32.dll"	Gnepna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iomoenej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcoaglhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmenh32.dll"	3a83f480f60f2414ba2563925d3385f5b3b574ae6df2cf00a0917c9218157edc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efpomccg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iedjmioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jljbeali.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjpode32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Knenkbio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lqmmmmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efpomccg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hidgai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eokqkh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gnepna32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hblkjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cikamapb.dll"	Hblkjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjgeedch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjlopc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbqdpi32.dll"	Iedjmioj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Knenkbio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Emhkdmlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcaoeoo.dll"	Efpomccg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gnepna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hblkjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ioolkncg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jofalmmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljqhkckn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlpfhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcoaglhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ignlbcmf.dll"	Jinboekc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 4420	2348	3a83f480f60f2414ba2563925d3385f5b3b574ae6df2cf00a0917c9218157edc.exe	93
PID 2348 wrote to memory of 4420	2348	3a83f480f60f2414ba2563925d3385f5b3b574ae6df2cf00a0917c9218157edc.exe	93
PID 2348 wrote to memory of 4420	2348	3a83f480f60f2414ba2563925d3385f5b3b574ae6df2cf00a0917c9218157edc.exe	93
PID 4420 wrote to memory of 3532	4420	Dijbno32.exe	95
PID 4420 wrote to memory of 3532	4420	Dijbno32.exe	95
PID 4420 wrote to memory of 3532	4420	Dijbno32.exe	95
PID 3532 wrote to memory of 1716	3532	Emhkdmlg.exe	96
PID 3532 wrote to memory of 1716	3532	Emhkdmlg.exe	96
PID 3532 wrote to memory of 1716	3532	Emhkdmlg.exe	96
PID 1716 wrote to memory of 3608	1716	Efpomccg.exe	97
PID 1716 wrote to memory of 3608	1716	Efpomccg.exe	97
PID 1716 wrote to memory of 3608	1716	Efpomccg.exe	97
PID 3608 wrote to memory of 5016	3608	Efblbbqd.exe	98
PID 3608 wrote to memory of 5016	3608	Efblbbqd.exe	98
PID 3608 wrote to memory of 5016	3608	Efblbbqd.exe	98
PID 5016 wrote to memory of 2340	5016	Eokqkh32.exe	99
PID 5016 wrote to memory of 2340	5016	Eokqkh32.exe	99
PID 5016 wrote to memory of 2340	5016	Eokqkh32.exe	99
PID 2340 wrote to memory of 3540	2340	Enpmld32.exe	100
PID 2340 wrote to memory of 3540	2340	Enpmld32.exe	100
PID 2340 wrote to memory of 3540	2340	Enpmld32.exe	100
PID 3540 wrote to memory of 1044	3540	Felbnn32.exe	101
PID 3540 wrote to memory of 1044	3540	Felbnn32.exe	101
PID 3540 wrote to memory of 1044	3540	Felbnn32.exe	101
PID 1044 wrote to memory of 4864	1044	Fneggdhg.exe	102
PID 1044 wrote to memory of 4864	1044	Fneggdhg.exe	102
PID 1044 wrote to memory of 4864	1044	Fneggdhg.exe	102
PID 4864 wrote to memory of 4252	4864	Fbbpmb32.exe	103
PID 4864 wrote to memory of 4252	4864	Fbbpmb32.exe	103
PID 4864 wrote to memory of 4252	4864	Fbbpmb32.exe	103
PID 4252 wrote to memory of 3292	4252	Fechomko.exe	104
PID 4252 wrote to memory of 3292	4252	Fechomko.exe	104
PID 4252 wrote to memory of 3292	4252	Fechomko.exe	104
PID 3292 wrote to memory of 2484	3292	Fiaael32.exe	105
PID 3292 wrote to memory of 2484	3292	Fiaael32.exe	105
PID 3292 wrote to memory of 2484	3292	Fiaael32.exe	105
PID 2484 wrote to memory of 444	2484	Gmojkj32.exe	107
PID 2484 wrote to memory of 444	2484	Gmojkj32.exe	107
PID 2484 wrote to memory of 444	2484	Gmojkj32.exe	107
PID 444 wrote to memory of 1624	444	Gfhndpol.exe	108
PID 444 wrote to memory of 1624	444	Gfhndpol.exe	108
PID 444 wrote to memory of 1624	444	Gfhndpol.exe	108
PID 1624 wrote to memory of 3716	1624	Gppcmeem.exe	109
PID 1624 wrote to memory of 3716	1624	Gppcmeem.exe	109
PID 1624 wrote to memory of 3716	1624	Gppcmeem.exe	109
PID 3716 wrote to memory of 1588	3716	Gnepna32.exe	110
PID 3716 wrote to memory of 1588	3716	Gnepna32.exe	110
PID 3716 wrote to memory of 1588	3716	Gnepna32.exe	110
PID 1588 wrote to memory of 2432	1588	Geaepk32.exe	111
PID 1588 wrote to memory of 2432	1588	Geaepk32.exe	111
PID 1588 wrote to memory of 2432	1588	Geaepk32.exe	111
PID 2432 wrote to memory of 2992	2432	Gojiiafp.exe	112
PID 2432 wrote to memory of 2992	2432	Gojiiafp.exe	112
PID 2432 wrote to memory of 2992	2432	Gojiiafp.exe	112
PID 2992 wrote to memory of 2404	2992	Hbhboolf.exe	113
PID 2992 wrote to memory of 2404	2992	Hbhboolf.exe	113
PID 2992 wrote to memory of 2404	2992	Hbhboolf.exe	113
PID 2404 wrote to memory of 4452	2404	Hlpfhe32.exe	114
PID 2404 wrote to memory of 4452	2404	Hlpfhe32.exe	114
PID 2404 wrote to memory of 4452	2404	Hlpfhe32.exe	114
PID 4452 wrote to memory of 1928	4452	Hidgai32.exe	115
PID 4452 wrote to memory of 1928	4452	Hidgai32.exe	115
PID 4452 wrote to memory of 1928	4452	Hidgai32.exe	115
PID 1928 wrote to memory of 1452	1928	Hblkjo32.exe	116

C:\Users\Admin\AppData\Local\Temp\3a83f480f60f2414ba2563925d3385f5b3b574ae6df2cf00a0917c9218157edc.exe
"C:\Users\Admin\AppData\Local\Temp\3a83f480f60f2414ba2563925d3385f5b3b574ae6df2cf00a0917c9218157edc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\Dijbno32.exe
  C:\Windows\system32\Dijbno32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\SysWOW64\Emhkdmlg.exe
    C:\Windows\system32\Emhkdmlg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Windows\SysWOW64\Efpomccg.exe
      C:\Windows\system32\Efpomccg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\SysWOW64\Efblbbqd.exe
        
        C:\Windows\system32\Efblbbqd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Windows\SysWOW64\Eokqkh32.exe
        
        C:\Windows\system32\Eokqkh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Enpmld32.exe
        
        C:\Windows\system32\Enpmld32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Felbnn32.exe
        
        C:\Windows\system32\Felbnn32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Fneggdhg.exe
        
        C:\Windows\system32\Fneggdhg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Fbbpmb32.exe
        
        C:\Windows\system32\Fbbpmb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\Fechomko.exe
        
        C:\Windows\system32\Fechomko.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\SysWOW64\Fiaael32.exe
        
        C:\Windows\system32\Fiaael32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Gmojkj32.exe
        
        C:\Windows\system32\Gmojkj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Gfhndpol.exe
        
        C:\Windows\system32\Gfhndpol.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Gppcmeem.exe
        
        C:\Windows\system32\Gppcmeem.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Gnepna32.exe
        
        C:\Windows\system32\Gnepna32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Geaepk32.exe
        
        C:\Windows\system32\Geaepk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\SysWOW64\Gojiiafp.exe
        
        C:\Windows\system32\Gojiiafp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Hbhboolf.exe
        
        C:\Windows\system32\Hbhboolf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Hlpfhe32.exe
        
        C:\Windows\system32\Hlpfhe32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Hidgai32.exe
        
        C:\Windows\system32\Hidgai32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Hblkjo32.exe
        
        C:\Windows\system32\Hblkjo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Hlepcdoa.exe
        
        C:\Windows\system32\Hlepcdoa.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Hlglidlo.exe
        
        C:\Windows\system32\Hlglidlo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\Ibcaknbi.exe
        
        C:\Windows\system32\Ibcaknbi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Illfdc32.exe
        
        C:\Windows\system32\Illfdc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Iedjmioj.exe
        
        C:\Windows\system32\Iedjmioj.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Iomoenej.exe
        
        C:\Windows\system32\Iomoenej.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Iibccgep.exe
        
        C:\Windows\system32\Iibccgep.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Ioolkncg.exe
        
        C:\Windows\system32\Ioolkncg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4488
        
        C:\Windows\SysWOW64\Ilcldb32.exe
        
        C:\Windows\system32\Ilcldb32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\Jekqmhia.exe
        
        C:\Windows\system32\Jekqmhia.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Jcoaglhk.exe
        
        C:\Windows\system32\Jcoaglhk.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Jofalmmp.exe
        
        C:\Windows\system32\Jofalmmp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Jljbeali.exe
        
        C:\Windows\system32\Jljbeali.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Jjpode32.exe
        
        C:\Windows\system32\Jjpode32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Knnhjcog.exe
        
        C:\Windows\system32\Knnhjcog.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Knqepc32.exe
        
        C:\Windows\system32\Knqepc32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\Kjgeedch.exe
        
        C:\Windows\system32\Kjgeedch.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Kcpjnjii.exe
        
        C:\Windows\system32\Kcpjnjii.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4560
        
        C:\Windows\SysWOW64\Knenkbio.exe
        
        C:\Windows\system32\Knenkbio.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Kjlopc32.exe
        
        C:\Windows\system32\Kjlopc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Lgpoihnl.exe
        
        C:\Windows\system32\Lgpoihnl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Lokdnjkg.exe
        
        C:\Windows\system32\Lokdnjkg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Ljqhkckn.exe
        
        C:\Windows\system32\Ljqhkckn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Ljceqb32.exe
        
        C:\Windows\system32\Ljceqb32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Lqmmmmph.exe
        
        C:\Windows\system32\Lqmmmmph.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Lnangaoa.exe
        
        C:\Windows\system32\Lnangaoa.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Ljhnlb32.exe
        
        C:\Windows\system32\Ljhnlb32.exe
        50⤵
        Executes dropped EXE
        
        PID:4288
        
        C:\Windows\SysWOW64\Mgloefco.exe
        
        C:\Windows\system32\Mgloefco.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Mogcihaj.exe
        
        C:\Windows\system32\Mogcihaj.exe
        52⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        53⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\Nqmfdj32.exe
        
        C:\Windows\system32\Nqmfdj32.exe
        54⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\Nnafno32.exe
        
        C:\Windows\system32\Nnafno32.exe
        55⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        56⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\Nfohgqlg.exe
        
        C:\Windows\system32\Nfohgqlg.exe
        57⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Nfaemp32.exe
        
        C:\Windows\system32\Nfaemp32.exe
        58⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\Omnjojpo.exe
        
        C:\Windows\system32\Omnjojpo.exe
        59⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\Offnhpfo.exe
        
        C:\Windows\system32\Offnhpfo.exe
        60⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\Ogekbb32.exe
        
        C:\Windows\system32\Ogekbb32.exe
        61⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        62⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\Onapdl32.exe
        
        C:\Windows\system32\Onapdl32.exe
        63⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        64⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\Omgmeigd.exe
        
        C:\Windows\system32\Omgmeigd.exe
        65⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        66⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\Pffgom32.exe
        
        C:\Windows\system32\Pffgom32.exe
        67⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        68⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        69⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\Qjfmkk32.exe
        
        C:\Windows\system32\Qjfmkk32.exe
        70⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\Qhjmdp32.exe
        
        C:\Windows\system32\Qhjmdp32.exe
        71⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        72⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\Aaenbd32.exe
        
        C:\Windows\system32\Aaenbd32.exe
        73⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        74⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\Agdcpkll.exe
        
        C:\Windows\system32\Agdcpkll.exe
        75⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\Aajhndkb.exe
        
        C:\Windows\system32\Aajhndkb.exe
        76⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\Akblfj32.exe
        
        C:\Windows\system32\Akblfj32.exe
        77⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        78⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Akdilipp.exe
        
        C:\Windows\system32\Akdilipp.exe
        79⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Apaadpng.exe
        
        C:\Windows\system32\Apaadpng.exe
        80⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\Bkgeainn.exe
        
        C:\Windows\system32\Bkgeainn.exe
        81⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\Bdojjo32.exe
        
        C:\Windows\system32\Bdojjo32.exe
        82⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\Boenhgdd.exe
        
        C:\Windows\system32\Boenhgdd.exe
        83⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        84⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\Bphgeo32.exe
        
        C:\Windows\system32\Bphgeo32.exe
        85⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\Bknlbhhe.exe
        
        C:\Windows\system32\Bknlbhhe.exe
        86⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        87⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        88⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\Chdialdl.exe
        
        C:\Windows\system32\Chdialdl.exe
        89⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        90⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        91⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        92⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        93⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\Dnonkq32.exe
        
        C:\Windows\system32\Dnonkq32.exe
        94⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\Dhdbhifj.exe
        
        C:\Windows\system32\Dhdbhifj.exe
        95⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Doojec32.exe
        
        C:\Windows\system32\Doojec32.exe
        96⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\Dgjoif32.exe
        
        C:\Windows\system32\Dgjoif32.exe
        97⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\Dkhgod32.exe
        
        C:\Windows\system32\Dkhgod32.exe
        98⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\Edplhjhi.exe
        
        C:\Windows\system32\Edplhjhi.exe
        99⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Enhpao32.exe
        
        C:\Windows\system32\Enhpao32.exe
        100⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Ehndnh32.exe
        
        C:\Windows\system32\Ehndnh32.exe
        101⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\Eqiibjlj.exe
        
        C:\Windows\system32\Eqiibjlj.exe
        102⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        103⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\Ebifmm32.exe
        
        C:\Windows\system32\Ebifmm32.exe
        104⤵
        
        PID:5752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dijbno32.exe

Filesize
100KB

MD5
f4262cede0737aa937323997f1037a21

SHA1
c97410c80d13f86e43553b8a5ef2dacbd76a5e6d

SHA256
00458e4330f359156bdca66fc132648923f0c28aca0a6552214980bfadfc229c

SHA512
6f2dd28f11474d17c96ffdc00a74640ac82d18903e1d5208bc04ba2a550615bd54bac4d431823a01430694a90b393e2003f7b5fb0d249829ffbcd2cc336837b9

Download Submit
C:\Windows\SysWOW64\Dnonkq32.exe

Filesize
100KB

MD5
e7ded37d501b71575b3adcc785ccc8d8

SHA1
cba1b1cbd7c0fbeebeffc39dc15bf970e3646bd0

SHA256
e1f04c5103777b66475b4cc8908f3bd813e6f4fb5ab03130ed272bfd50313270

SHA512
5d680fb2f460ab182dd8223feb3f0597231d9768d73abf344daccada6cda1ee7b35a1d703a0fb7a673e712fa284f139995690bce5c6e446f31aec675aa8153a0

Download Submit
C:\Windows\SysWOW64\Efblbbqd.exe

Filesize
100KB

MD5
8ddd3aae67ae7ba3dac91bd674328861

SHA1
368045c42d6ca7a8326eee0bc70efe10f9129f6e

SHA256
ff999af51861a9b60df6db6f372b8ca64746fe7fb97c794c47f0e14d8ae49911

SHA512
835616c4b2da24d54fd392e2a001b460083ef14693eec384d171aa902be6479a7eed20839b16a71d53c1f08fab83025cf1dc42171c437065f3a76a5692a76bd2

Download Submit
C:\Windows\SysWOW64\Efpomccg.exe

Filesize
100KB

MD5
6b1a9965eebafe9e9597d04982badc18

SHA1
211d8e554ef161021f35d19b810a97976791f0d3

SHA256
f43a5e657cda92382efe54ddabd1cf34b2511c6a6cfdfdd4de53cbb1982c3a00

SHA512
1356f1b982c137ba08c2979577ecf50205a1a68cbfe6ec1f5ee0dedb4c4792d44edcffb20e20bb32df8f23edf0eb366af02f6b20f4d5d6f3dce8afe44d43e258

Download Submit
C:\Windows\SysWOW64\Emhkdmlg.exe

Filesize
100KB

MD5
aa9b9166e87649ce7bee4847d0e059c2

SHA1
54e2d2f36a3b2b2ae0449884048234c15498c2ed

SHA256
c68d627542b5cd4cd7ac0161bf9b21e2c79df33e3a92f3f340c056589d9fb579

SHA512
ac921940961f4b1e2017c7813ec3030f3c0dfd89e71297a8ab57863ea563ba70b87ac4638ed5a64a34dab01d9856066ea4e046a8e3ff059e14f50c4136fc5b4d

Download Submit
C:\Windows\SysWOW64\Enpmld32.exe

Filesize
100KB

MD5
2305d5ac827586b5789cc76f9fce597b

SHA1
0c9789b07770d756aa93f9988c589da6ab56508c

SHA256
b8030620c8d324630ab1182c286a690ba67140cd854ac19f3dd26763ff36661d

SHA512
bfadef6ff7613d92b1c971c949104d6059d2e1b43071c287d0708e3e673a530511b96e359959c20b0deab47f5adc864c3ff97d9a8a81bd4b248240d30022d147

Download Submit
C:\Windows\SysWOW64\Eokqkh32.exe

Filesize
100KB

MD5
ec401536a552af1405c7bfed0860a8b6

SHA1
04035aebc1fac114533a3e59fde060cc310b0ba0

SHA256
a01049d571a923dee300790b8243cf0a29f13d0afb3d6e84fb09889ab6c32ac4

SHA512
42e0f8672e1eb4cab7a71c8d67fc052e8d54543f813b50d56aa99a2ef556c63ec694a6e055ce286fe1fa68f6c68de1d117d5e4388b82dafa84c1909647cffdc2

Download Submit
C:\Windows\SysWOW64\Fbbpmb32.exe

Filesize
100KB

MD5
187118e2955a029a117a3909d603ae80

SHA1
81b8705cc191309e1f7411d2d8e49d8e1be3458a

SHA256
1e03b9e0595569ae20c296517d7af8afc5efb492c4fa653a6777ebd7a222a77a

SHA512
7c966350f8b461070cfef1ff0d2118a9e29b52bdc343f8906cb5de4cf9b2957aa2e89c68b3946916015bea444e091ec85460e56a637fac3828b9613072ec60c0

Download Submit
C:\Windows\SysWOW64\Fechomko.exe

Filesize
100KB

MD5
8fb5a93552bb9c062b4846f32b136d62

SHA1
8c86c82703a2536b873543c0b38596b95df1c517

SHA256
3a2ee713e1ebf181febc037b1a6c34f3d5153cc3d879b6422ea775f4c9c9a685

SHA512
a885b07a4f165d01aed3579b547a90a1af8694986e379db56d9974660e1af255050460c8b6f5be9d2731851504c237773288b8629574febde8f59bb852ff75b5

Download Submit
C:\Windows\SysWOW64\Felbnn32.exe

Filesize
100KB

MD5
1c0b8ab3e535cce19ebce32a1b32e399

SHA1
486d095ae9c9754b6635a1a0a91c383b3b3bf730

SHA256
71da2bd7abdee1b2aa25e19c8e5a3973f723c3d58276587f09f2b492a287424c

SHA512
2aa1704f03dab609b6f26846806abcc29f80d3179958547e52e23ea97b8c80ebc0f0397d522998593b181048740fad94f943ecd7801b41c1cf1041014c39bf5d

Download Submit
C:\Windows\SysWOW64\Fiaael32.exe

Filesize
100KB

MD5
c5d74ca57941e075f833a106bde55977

SHA1
c3e5c40d9827b290a5f7ebbe57b54b723f4932f1

SHA256
e2cb8ed15db4ce93015943f525fa5eba6aafc13bc342a4eedc980c8999e2e1ed

SHA512
63311e022a013b6576a41c10606b3f4a83e229d177a9e79638dda8b4c8c45cbf5208c42ad7d53f02134af09a423f37c49dad5d0f5338f40e090bec15183f3aba

Download Submit
C:\Windows\SysWOW64\Fneggdhg.exe

Filesize
100KB

MD5
ddd869e15d130ee144d0684de1f8eaba

SHA1
d32a359abedd585c7df8b9485de3fee7a13284f5

SHA256
aab1e2906a72a1d1931bf2f3a6372ff2799eae889326de271b08d938dcc2596b

SHA512
3d30aabad6e863204d920a1906822397d7aa0c8b126723d4cc515cc11fde63bd0af720df8e40c377bb38369c184f6556108d84e3e04db46a41bf8f3a7766c438

Download Submit
C:\Windows\SysWOW64\Geaepk32.exe

Filesize
100KB

MD5
81dc4192a7283eaeca3e18a7873028f5

SHA1
cc0dd974796a93f24da286bde548368f04b7324d

SHA256
7017a9ad9e93f557191ddfe404314a8721e8aa71ab149be0d0debee88188fb8f

SHA512
230e3634411cfef595d6e3552c94b288a16ad6811fe11d1335e06520e0dd6f24a486b15991d358eb0612e4bed333c18d4de1fdd4cfea4cd54fea78a2e628053a

Download Submit
C:\Windows\SysWOW64\Gfhndpol.exe

Filesize
100KB

MD5
ab04a52d189aad18a363d2bd3c5e0425

SHA1
206d5401ee0ec6063307e8f4a79eb78492669e11

SHA256
128d4b517a69d5267ea5e5451cc40ab3d9e92ffcef81fd421ed7c6317e3553f9

SHA512
7ceeda6837176a94005a4dce188589726dcca64ee6008611da28502a654841505935da022c607577cedf6f18ea0410a63a7562a01af8c3c29d3206ec7b9fa298

Download Submit
C:\Windows\SysWOW64\Gmojkj32.exe

Filesize
100KB

MD5
1c94a3d0a0850a343e2d54eb5ec21d51

SHA1
a5754fca43ace2f0d07694804e8906212b2e0b76

SHA256
c14028163085c32c53cc9a132578721f3e117cf08561d1e11ea6e54e7ab1dfd0

SHA512
7a71d7ed68770771e445e983b858c501cdcc867cec9d90999906f98d3a2bc1151b932059a221baf81067209acfc8ddbd0bb401df8052aa00f1b063ffd2480b4d

Download Submit
C:\Windows\SysWOW64\Gnepna32.exe

Filesize
100KB

MD5
2c26ee9111df00726f4dc13524e28411

SHA1
27cd94453b2d46985f630f04068c34930ed4b26e

SHA256
679e94c5d151cdf6a53a4bc166c479b9360e33fca69422113ac70ec8e712c94c

SHA512
b9fa8cfc6f9a4e7ec5b52e0675a5e02879dfe337011123870945e53a5799222bfb6a6dd27441563c9cb148cbd4305e664d50208cf41c0e2d14ef10c5570a3d53

Download Submit
C:\Windows\SysWOW64\Gojiiafp.exe

Filesize
100KB

MD5
e903d6a7988166fa92c039a31cc663d0

SHA1
7744c1c1a852cc6c42a130aae7f71b78dc85542c

SHA256
eedb7bb3b510d5d43aa08bcc0e87e6acd24280e7692d1578ec91d0b47a813e55

SHA512
ef73b3734bec0078c1ed0c06a8f742e5298800868d717bda12397ad4c1da009d291f2f2eb16a5df6e7d8f22d938bba0ae6ea0cfb8d9cf11aad4481d9fe5d9cdb

Download Submit
C:\Windows\SysWOW64\Gppcmeem.exe

Filesize
100KB

MD5
f7cb1737655ec8d49c01f1baade7e68e

SHA1
a418755e59cf50393c5fe600e3674c0552a8b9be

SHA256
2f75b77af024479350874da45774a6d6c3b086d3f8864e11d95e9a330031ef59

SHA512
1cadea57c440f0b73947f0696ebc6e1d1783da3f5146952a37ebba13dbd96d9b08c3db72abfa2ba6301ed5b9d0298a7fe9bbe09a52ccc5490e765e7674ed0a61

Download Submit
C:\Windows\SysWOW64\Hbhboolf.exe

Filesize
100KB

MD5
a7b55985f89e75f194603f7e1aaaa31c

SHA1
2f9fb6b35f400dfba1237bd9d56815e088523961

SHA256
498b508a0aff904781062ea12324de7e9b426731252ff669254b230f29d3fa76

SHA512
dfafb3495948e360ee5bef1da58b7731d47f4f2c45a3e93542a6ebaf7e82606b0ad7327d9e165577db09f9a4327beb68f5e0ebce0e30495a0f256614429a7038

Download Submit
C:\Windows\SysWOW64\Hblkjo32.exe

Filesize
100KB

MD5
226a641284771bef7d462a27d438f628

SHA1
1e104dae7284528f85a6c98ea754ef6b1097c718

SHA256
5ee0dbd4c055b1aeaff508feb2717a67f88fec25a7e57a6de6a33e0f00facdd4

SHA512
ec85c9e74d0e054fd56753c85c86e24784cdd85a0bce1d5943ebf5f2d9e4412e455c90f9598f68240cb65f64ae32472ac6418a8b8056cf72706b8e8ef9233ead

Download Submit
C:\Windows\SysWOW64\Hidgai32.exe

Filesize
100KB

MD5
50dd7a6af4140ad16972a259a9dd624c

SHA1
5689add12906919d262ec6609d3b292a95b6d656

SHA256
324403af0eba44304b8536fd18362ab32b2d527785d2b8372d63cf32b9b8e1d7

SHA512
2e7a78923c6f06bd984ba43fffe5736ea95e2b2ad356c597df5c899cbe696bb2ea890daaacb29e81e938c0f54bb0c9d941c31a6f76605f9d0ed6ca9014e332c9

Download Submit
C:\Windows\SysWOW64\Hlepcdoa.exe

Filesize
100KB

MD5
c06f3ca04e4cc7c0f938e072eaab3c64

SHA1
89bb55ac45d085ece37edba8b194225db66b25dd

SHA256
734359464a47341831af0f55c0dec5147243edfdd699c8b8d77db7a71de98d93

SHA512
6d65e11bd4b0db509f625140bdcea02f7d61ad7bb5ee425102023157b228a32fa91264fcbb154cf9c0226de1dec3f6a9bc0c4e25bf99f1ee8f9897e4d57d95f7

Download Submit
C:\Windows\SysWOW64\Hlglidlo.exe

Filesize
100KB

MD5
05fda095a703fa9fa62d880d50011e93

SHA1
a2efc5d71ca7cf5df9509cf9ca0009ae56a8b9c6

SHA256
29a489636ac3743d84b950f54503771d1c7d59bf8392045667af9910f4dd8b14

SHA512
12f276b00b9d4ad9f88f2da94a86e9b8c37cef6a78977786b33af01e6769ec36c30d17180b60f521ff92d5143555dc39efe7551cacabcf305f0909734e2768f7

Download Submit
C:\Windows\SysWOW64\Hlpfhe32.exe

Filesize
100KB

MD5
5a5f3fc3a04d08f36734a75fdc24af0f

SHA1
afed66e890fc5f1d09fe120ed293e1f895752525

SHA256
9d0d2b97d73cd71240583f395a9b2f83cd92081bc6c0e555afdc06b2f8a44b1c

SHA512
281d5dbdfde56920eade56da41acbd0289609a63ab80c47bb25690ead45712937242a393875ab6076a1ff08f42aa803b003ff4f17e8a47f7ef64046bc97aa3ca

Download Submit
C:\Windows\SysWOW64\Ibcaknbi.exe

Filesize
100KB

MD5
1af6bf15c557c77b65ed9071da97293c

SHA1
59b996479284198bf7174108c0d74e711f5444d9

SHA256
835844b3af237a6a01c4224fc261a6049b7241caa64a58fac16ffa619fa4b4c0

SHA512
64295ebf0ab785d9359464738f04ecc443735b1075ec89425d438ca9ab463ca50032fea8ebd9afe7a73b6a29b68454fe5ac2b109d095d24fd203a71b51cafc91

Download Submit
C:\Windows\SysWOW64\Iedjmioj.exe

Filesize
100KB

MD5
56b7c572f4cff13c96e10e4aa038a128

SHA1
3101bbae1c94ecd47f0d29abbbbd7598e03d62d7

SHA256
8e4234ef4bf3dfc1dfa18cec9981e91cdb822512f132484ce50c130c0e00a63a

SHA512
c5777480c4b07522bcc938d4380ffd9f8b844fb97a3707b8af709f7dbe05c5bffc596bf38662c3e990934bfd2effc8661525d83592cf763294c17923f8d454e3

Download Submit
C:\Windows\SysWOW64\Iibccgep.exe

Filesize
100KB

MD5
53fa0a71ccd32bba07a96d271ff6c3a5

SHA1
c7ea2d0c64744f66c8f447a440bd6c09b1444ad4

SHA256
6d0c9c7d0c1f09d4920e946845d63ac52001c7ff8608aa0b893eb0393a142230

SHA512
8be3ce3c2962d19dacd077b01b654cf9b5f843648281783a2c04b4112711b8a534ee3de29e3b7a2eed1b02d79899a65686854d822f979cc1a2ece2af7fa88706

Download Submit
C:\Windows\SysWOW64\Ilcldb32.exe

Filesize
100KB

MD5
40b2107865be95acba3e1fec82e7eaad

SHA1
dd2916a2ee16122f7a2133074d21f8acb10288b6

SHA256
201e61401508e41dc2149c959d3ca58843e8160549074e87fc7025dc787846fb

SHA512
958b2685bae63fe3e47a0f4e5d1756b099a54f0bd5fd880398f63dd8603f814c43ea94ad8e8daaf7fcfb65456e7e54ac7a1b5937e7469a1e762b3059877f63c2

Download Submit
C:\Windows\SysWOW64\Illfdc32.exe

Filesize
100KB

MD5
95b13cdc21639fc0945b9a4466a817bf

SHA1
e61c75914c8206582d6a12be7bc655dfdb29b83a

SHA256
73375b85d1ea9750bfe2fcdb13be9706ff4ade53b1fe7d244d1ee1334e2522a7

SHA512
373e5965d9a808237af54c11c15d15ca423d4de7396f60fbd1432e9e60e1df619df3dc810c7a23dc599386616b50801b8fd80d81e2a07702d9ab09f570b7819e

Download Submit
C:\Windows\SysWOW64\Iomoenej.exe

Filesize
100KB

MD5
238e5caceee88c8eb4ddc4e125b68d6b

SHA1
269f4331e41375789235bbe69286db61cde3af99

SHA256
0a01eb8ff6eaefff0a44a8dc95fe24186e183151eac21caa7dedfc9f00336e52

SHA512
ceddce7ba410bd64207a80465157af12cd64dbc2f37fc5764fcfab7902144181585c3f915d295730fdd7b349165f127d30e87d947c5387b22672f149c12262e6

Download Submit
C:\Windows\SysWOW64\Ioolkncg.exe

Filesize
100KB

MD5
4b46d85bdfd82cbd4c971f793d0dccb3

SHA1
bcecdedf7acf73a0115bfb6e722f6f3574b3ed57

SHA256
8d5d65a564cbb7af36be2a77dc3cba1e95ccf51fbb65e736fe510f2224a24fec

SHA512
b94ef5cd3fa5e5efacc22b0599613f926fa7060e44502f581fb78d4c0178eac65f8ad131e319bfa124b310aa3205a86034b7116fbfe7633c7c00e1a016d3e914

Download Submit
C:\Windows\SysWOW64\Jcoaglhk.exe

Filesize
100KB

MD5
87ddbb89bd518e889f6579f0618e4042

SHA1
88ddb40577e2c6457ceeb39ac864064df10d120e

SHA256
9c328adbbdf88411aa52eb87593e1c3d4b9d227681dfdde5da3752a8d64cfae7

SHA512
e5cb6fd50d87cced087a37f9e5b702189fdbeec08fbf64533d5ede5a7a0c6e7ee87c2662704d07c604b04bc0c93993c79d3a91c1cbc662064c2003c05e49c1c2

Download Submit
C:\Windows\SysWOW64\Jekqmhia.exe

Filesize
100KB

MD5
73c67d43b91cfa5d67943353fa651724

SHA1
d41b37cd13d44a8e8959c3adb9f5183e53189039

SHA256
1da5f6837b9b498825e1206257aed840e2b51a06823eafbeb98ecbd0f372c82e

SHA512
0b30fd202964e18ff9694226a8b96373b207e27bf87f98d8796c7153d63850cf24304514cf0c35afa171444f8bf08e25871510df12994c21a40ccadc4e05d3b9

Download Submit
C:\Windows\SysWOW64\Kfbdfl32.dll

Filesize
7KB

MD5
49e155077e6099fd61a57088274a6b45

SHA1
ca817aab728325517c540dde440f05479d56fb2c

SHA256
3196e5c652d2839bc9d0686cbb4d394b13fb984a658739701f9b983badc38623

SHA512
a589cc6a3bce8553bc06c6c42739556297644a53c9859852d777ea5c93187c3da77a7dd305609f02e8072334729bfb0bd95bf26b8890a4a65a14c3b8fdccde0e

Download Submit
C:\Windows\SysWOW64\Mgloefco.exe

Filesize
100KB

MD5
b6013fec34b008e016b27d52089f34cd

SHA1
72a66b18495103cd7e2a6a4b6b1d6f0ea174547f

SHA256
157a54d37adc2d1488b26966bc3ac121c6bb3927500b06a3f9418ede068d59ff

SHA512
67f9c69d5bf16375d6653855dafb1865d3c0d79557d79876f5eee46b2a63acb82a4497d9a00d0bad19b0d28f78feb13889ee4a164650c93102d741ae82612114

Download Submit
C:\Windows\SysWOW64\Nqmfdj32.exe

Filesize
100KB

MD5
88e3473921e240d98bf629f31b038e5f

SHA1
f51ef03e405870d1b2715ef45163cccc92b72d2f

SHA256
7ccb198db952e6db5a6321c8b77fbf6b022afa2d14aa50749cac88c7697ee2dc

SHA512
b6fa0d5345db444f52c3ead1687197fba6894936a29c21024e8a7138230ec8bd763a2a837d3d29a9d6c25a4728985ed1933bddcf3522f05edb68a5f271d589d4

Download Submit
C:\Windows\SysWOW64\Omnjojpo.exe

Filesize
100KB

MD5
cf6396d61d5c72f908408c4379e4b03a

SHA1
29c40e0886c62bfd0e09f2b35a49b82642bdca29

SHA256
357796c71100387c4ebc615fb000121df402dd12b37fc633770e6dbfd5d76c01

SHA512
a0e548b3ed251d7d3560a9b408b5bf4d5bb24ae01a1af31811e4b5a109156e3f29a04844dba59ae84134876a3f3fee36da67e6e3b3184895d454afc209ddea7a

Download Submit
memory/444-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/716-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/888-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/940-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1044-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1144-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1156-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1416-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1452-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1588-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1624-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1640-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1716-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1720-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1828-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1928-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1968-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2008-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2052-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2276-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2404-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2432-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2484-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2552-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2596-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2804-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2904-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2992-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3104-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3148-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3292-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3380-208-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3456-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3524-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3532-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3540-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3608-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3652-443-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3664-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3716-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3868-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3900-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4012-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4252-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4288-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4292-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4352-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4420-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4452-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4456-428-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4464-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4488-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4544-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4560-308-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4620-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4744-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4856-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4864-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads