a1371b8ea770724bd271082fc3db1408121ef31be6111a65d0690b457316eaa1

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1371b8ea770724bd271082fc3db1408121ef31be6111a65d0690b457316eaa1.exe
Size

55KB
MD5

a6b40f54c6368c27fbfb75421e6abd7e
SHA1

db603c9069ffd9ee6f040b782c612b458e78766f
SHA256

a1371b8ea770724bd271082fc3db1408121ef31be6111a65d0690b457316eaa1
SHA512

c86db78b5a0360d2debe9269d1276f6d90309f147a7c6e0f2609b7b884cffd72e48ca15ccea98e16cd6e1420617e84bf125e8a87ec4b0f62f5668e0d1f7fa97f
SSDEEP

1536:uRd95RUEilQ8Plpzx53ZK+PKMWy538EDqkkBavlR:6iHlb534+PKMWy6EDqNYvlR

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejegjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emjjgbjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoifcnid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ficgacna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipckgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfhbppbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqdbiofi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmfbjnbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqkocpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmclmabe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebploj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efneehef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibagcc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfhbppbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a1371b8ea770724bd271082fc3db1408121ef31be6111a65d0690b457316eaa1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ehlaaddj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fopldmcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibeql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaemnhla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fflaff32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icgqggce.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfdida32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecbenm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpihai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe

Executes dropped EXE 64 IoCs

pid	Process
1704	Ebnoikqb.exe
1164	Ejegjh32.exe
2488	Elccfc32.exe
1876	Eoapbo32.exe
4728	Ebploj32.exe
4104	Ejgdpg32.exe
2400	Eleplc32.exe
4048	Eodlho32.exe
4492	Efneehef.exe
2276	Ehlaaddj.exe
4468	Eqciba32.exe
2484	Ecbenm32.exe
1884	Efpajh32.exe
412	Emjjgbjp.exe
3136	Eoifcnid.exe
3464	Fbgbpihg.exe
2296	Fjnjqfij.exe
3344	Fqhbmqqg.exe
1320	Fcgoilpj.exe
3956	Ffekegon.exe
1296	Ficgacna.exe
4076	Fqkocpod.exe
4256	Fbllkh32.exe
5080	Fjcclf32.exe
3376	Fmapha32.exe
4408	Fopldmcl.exe
528	Fbnhphbp.exe
1184	Fmclmabe.exe
220	Fcnejk32.exe
1012	Fflaff32.exe
3904	Fijmbb32.exe
448	Fodeolof.exe
2028	Gbcakg32.exe
2860	Gjjjle32.exe
4952	Gqdbiofi.exe
2608	Gcbnejem.exe
4772	Gfqjafdq.exe
1308	Giofnacd.exe
884	Gqfooodg.exe
4464	Gcekkjcj.exe
2604	Gfcgge32.exe
3980	Gjocgdkg.exe
4880	Gqikdn32.exe
3724	Gpklpkio.exe
4448	Gbjhlfhb.exe
4072	Gfedle32.exe
3212	Gidphq32.exe
3352	Gqkhjn32.exe
4308	Gcidfi32.exe
1204	Gbldaffp.exe
5020	Gjclbc32.exe
5016	Gmaioo32.exe
2660	Gameonno.exe
1048	Hboagf32.exe
4796	Hjfihc32.exe
2512	Hmdedo32.exe
4768	Hpbaqj32.exe
936	Hjhfnccl.exe
4088	Hmfbjnbp.exe
4184	Hbckbepg.exe
3076	Hmioonpn.exe
4564	Hadkpm32.exe
4376	Hfachc32.exe
4204	Hippdo32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jifkeoll.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Gcbnejem.exe	Gqdbiofi.exe
File opened for modification	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File opened for modification	C:\Windows\SysWOW64\Kinemkko.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Emjjgbjp.exe	Efpajh32.exe
File created	C:\Windows\SysWOW64\Lcglnp32.dll	Fijmbb32.exe
File opened for modification	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ebploj32.exe	Eoapbo32.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Iinlemia.exe	Ibccic32.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Chkede32.dll	a1371b8ea770724bd271082fc3db1408121ef31be6111a65d0690b457316eaa1.exe
File created	C:\Windows\SysWOW64\Qjebnamp.dll	Ejgdpg32.exe
File created	C:\Windows\SysWOW64\Jfhbppbc.exe	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Oddfqf32.dll	Giofnacd.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Jmbklj32.exe	Jigollag.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Kpepcedo.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Efneehef.exe	Eodlho32.exe
File created	C:\Windows\SysWOW64\Efpajh32.exe	Ecbenm32.exe
File opened for modification	C:\Windows\SysWOW64\Gqikdn32.exe	Gjocgdkg.exe
File created	C:\Windows\SysWOW64\Hmfbjnbp.exe	Hjhfnccl.exe
File opened for modification	C:\Windows\SysWOW64\Fbgbpihg.exe	Eoifcnid.exe
File opened for modification	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Cpjljp32.dll	Jigollag.exe
File created	C:\Windows\SysWOW64\Ebkdha32.dll	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Fmclmabe.exe	Fbnhphbp.exe
File created	C:\Windows\SysWOW64\Gbajhpfb.dll	Gidphq32.exe
File created	C:\Windows\SysWOW64\Hfcpncdk.exe	Hpihai32.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File created	C:\Windows\SysWOW64\Eodlho32.exe	Eleplc32.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fopldmcl.exe
File created	C:\Windows\SysWOW64\Gjclbc32.exe	Gbldaffp.exe
File created	C:\Windows\SysWOW64\Dempmq32.dll	Icjmmg32.exe
File created	C:\Windows\SysWOW64\Ijhodq32.exe	Ibagcc32.exe
File created	C:\Windows\SysWOW64\Dbcjkf32.dll	Jbmfoa32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jfkoeppq.exe
File created	C:\Windows\SysWOW64\Gncoccha.dll	Kinemkko.exe
File created	C:\Windows\SysWOW64\Ecbenm32.exe	Eqciba32.exe
File opened for modification	C:\Windows\SysWOW64\Gpklpkio.exe	Gqikdn32.exe
File opened for modification	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File created	C:\Windows\SysWOW64\Iffmccbi.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Kcifkp32.exe	Kpjjod32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Icljbg32.exe	Ipqnahgf.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kdopod32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Gqdbiofi.exe	Gjjjle32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7136	6192	WerFault.exe	284

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijdeiaio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffekegon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdkhlo32.dll"	Gmaioo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaedgjjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncoccha.dll"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Iapjlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjebnamp.dll"	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdcae32.dll"	Fmapha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqciba32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijhodq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbmfoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbdmpqcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kinemkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcgoilpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Impepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnoaog32.dll"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmmkpmf.dll"	Kpepcedo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emjjgbjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaimbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjjod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjgbh32.dll"	Eleplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbcakg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibagcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dendnoah.dll"	Ipqnahgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfqjafdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hfachc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlcankg.dll"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fijmbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hfcpncdk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpccnefa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kbdmpqcb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 1704	3020	a1371b8ea770724bd271082fc3db1408121ef31be6111a65d0690b457316eaa1.exe	85
PID 3020 wrote to memory of 1704	3020	a1371b8ea770724bd271082fc3db1408121ef31be6111a65d0690b457316eaa1.exe	85
PID 3020 wrote to memory of 1704	3020	a1371b8ea770724bd271082fc3db1408121ef31be6111a65d0690b457316eaa1.exe	85
PID 1704 wrote to memory of 1164	1704	Ebnoikqb.exe	86
PID 1704 wrote to memory of 1164	1704	Ebnoikqb.exe	86
PID 1704 wrote to memory of 1164	1704	Ebnoikqb.exe	86
PID 1164 wrote to memory of 2488	1164	Ejegjh32.exe	87
PID 1164 wrote to memory of 2488	1164	Ejegjh32.exe	87
PID 1164 wrote to memory of 2488	1164	Ejegjh32.exe	87
PID 2488 wrote to memory of 1876	2488	Elccfc32.exe	88
PID 2488 wrote to memory of 1876	2488	Elccfc32.exe	88
PID 2488 wrote to memory of 1876	2488	Elccfc32.exe	88
PID 1876 wrote to memory of 4728	1876	Eoapbo32.exe	89
PID 1876 wrote to memory of 4728	1876	Eoapbo32.exe	89
PID 1876 wrote to memory of 4728	1876	Eoapbo32.exe	89
PID 4728 wrote to memory of 4104	4728	Ebploj32.exe	90
PID 4728 wrote to memory of 4104	4728	Ebploj32.exe	90
PID 4728 wrote to memory of 4104	4728	Ebploj32.exe	90
PID 4104 wrote to memory of 2400	4104	Ejgdpg32.exe	91
PID 4104 wrote to memory of 2400	4104	Ejgdpg32.exe	91
PID 4104 wrote to memory of 2400	4104	Ejgdpg32.exe	91
PID 2400 wrote to memory of 4048	2400	Eleplc32.exe	92
PID 2400 wrote to memory of 4048	2400	Eleplc32.exe	92
PID 2400 wrote to memory of 4048	2400	Eleplc32.exe	92
PID 4048 wrote to memory of 4492	4048	Eodlho32.exe	93
PID 4048 wrote to memory of 4492	4048	Eodlho32.exe	93
PID 4048 wrote to memory of 4492	4048	Eodlho32.exe	93
PID 4492 wrote to memory of 2276	4492	Efneehef.exe	94
PID 4492 wrote to memory of 2276	4492	Efneehef.exe	94
PID 4492 wrote to memory of 2276	4492	Efneehef.exe	94
PID 2276 wrote to memory of 4468	2276	Ehlaaddj.exe	95
PID 2276 wrote to memory of 4468	2276	Ehlaaddj.exe	95
PID 2276 wrote to memory of 4468	2276	Ehlaaddj.exe	95
PID 4468 wrote to memory of 2484	4468	Eqciba32.exe	96
PID 4468 wrote to memory of 2484	4468	Eqciba32.exe	96
PID 4468 wrote to memory of 2484	4468	Eqciba32.exe	96
PID 2484 wrote to memory of 1884	2484	Ecbenm32.exe	97
PID 2484 wrote to memory of 1884	2484	Ecbenm32.exe	97
PID 2484 wrote to memory of 1884	2484	Ecbenm32.exe	97
PID 1884 wrote to memory of 412	1884	Efpajh32.exe	98
PID 1884 wrote to memory of 412	1884	Efpajh32.exe	98
PID 1884 wrote to memory of 412	1884	Efpajh32.exe	98
PID 412 wrote to memory of 3136	412	Emjjgbjp.exe	99
PID 412 wrote to memory of 3136	412	Emjjgbjp.exe	99
PID 412 wrote to memory of 3136	412	Emjjgbjp.exe	99
PID 3136 wrote to memory of 3464	3136	Eoifcnid.exe	100
PID 3136 wrote to memory of 3464	3136	Eoifcnid.exe	100
PID 3136 wrote to memory of 3464	3136	Eoifcnid.exe	100
PID 3464 wrote to memory of 2296	3464	Fbgbpihg.exe	101
PID 3464 wrote to memory of 2296	3464	Fbgbpihg.exe	101
PID 3464 wrote to memory of 2296	3464	Fbgbpihg.exe	101
PID 2296 wrote to memory of 3344	2296	Fjnjqfij.exe	102
PID 2296 wrote to memory of 3344	2296	Fjnjqfij.exe	102
PID 2296 wrote to memory of 3344	2296	Fjnjqfij.exe	102
PID 3344 wrote to memory of 1320	3344	Fqhbmqqg.exe	103
PID 3344 wrote to memory of 1320	3344	Fqhbmqqg.exe	103
PID 3344 wrote to memory of 1320	3344	Fqhbmqqg.exe	103
PID 1320 wrote to memory of 3956	1320	Fcgoilpj.exe	105
PID 1320 wrote to memory of 3956	1320	Fcgoilpj.exe	105
PID 1320 wrote to memory of 3956	1320	Fcgoilpj.exe	105
PID 3956 wrote to memory of 1296	3956	Ffekegon.exe	106
PID 3956 wrote to memory of 1296	3956	Ffekegon.exe	106
PID 3956 wrote to memory of 1296	3956	Ffekegon.exe	106
PID 1296 wrote to memory of 4076	1296	Ficgacna.exe	107

C:\Users\Admin\AppData\Local\Temp\a1371b8ea770724bd271082fc3db1408121ef31be6111a65d0690b457316eaa1.exe
"C:\Users\Admin\AppData\Local\Temp\a1371b8ea770724bd271082fc3db1408121ef31be6111a65d0690b457316eaa1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\Ebnoikqb.exe
  C:\Windows\system32\Ebnoikqb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\Ejegjh32.exe
    C:\Windows\system32\Ejegjh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\SysWOW64\Elccfc32.exe
      C:\Windows\system32\Elccfc32.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Windows\SysWOW64\Ebploj32.exe
        
        C:\Windows\system32\Ebploj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Eodlho32.exe
        
        C:\Windows\system32\Eodlho32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Efneehef.exe
        
        C:\Windows\system32\Efneehef.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Ecbenm32.exe
        
        C:\Windows\system32\Ecbenm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Emjjgbjp.exe
        
        C:\Windows\system32\Emjjgbjp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Ffekegon.exe
        
        C:\Windows\system32\Ffekegon.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Fbllkh32.exe
        
        C:\Windows\system32\Fbllkh32.exe
        24⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        25⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\Fmclmabe.exe
        
        C:\Windows\system32\Fmclmabe.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        30⤵
        Executes dropped EXE
        
        PID:220
        
        C:\Windows\SysWOW64\Fflaff32.exe
        
        C:\Windows\system32\Fflaff32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\Fijmbb32.exe
        
        C:\Windows\system32\Fijmbb32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        33⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Gjjjle32.exe
        
        C:\Windows\system32\Gjjjle32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Gfqjafdq.exe
        
        C:\Windows\system32\Gfqjafdq.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Giofnacd.exe
        
        C:\Windows\system32\Giofnacd.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1308
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:884
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        41⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        42⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\Gqikdn32.exe
        
        C:\Windows\system32\Gqikdn32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        45⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        46⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Gfedle32.exe
        
        C:\Windows\system32\Gfedle32.exe
        47⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        49⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        52⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\Gmaioo32.exe
        
        C:\Windows\system32\Gmaioo32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        54⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        56⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        57⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\Hpbaqj32.exe
        
        C:\Windows\system32\Hpbaqj32.exe
        58⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        61⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        62⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Hfachc32.exe
        
        C:\Windows\system32\Hfachc32.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        65⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\Hmklen32.exe
        
        C:\Windows\system32\Hmklen32.exe
        66⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\Hpihai32.exe
        
        C:\Windows\system32\Hpihai32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        69⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        70⤵
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        72⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        73⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        74⤵
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        75⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\Icjmmg32.exe
        
        C:\Windows\system32\Icjmmg32.exe
        76⤵
        Drops file in System32 directory
        
        PID:1192
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        77⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        78⤵
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        79⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4316
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        83⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        84⤵
        Modifies registry class
        
        PID:5176
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5220
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        86⤵
        Modifies registry class
        
        PID:5264
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Ijhodq32.exe
        
        C:\Windows\system32\Ijhodq32.exe
        88⤵
        Modifies registry class
        
        PID:5348
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        89⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        90⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Idacmfkj.exe
        
        C:\Windows\system32\Idacmfkj.exe
        91⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        92⤵
        Drops file in System32 directory
        
        PID:5520
        
        C:\Windows\SysWOW64\Iinlemia.exe
        
        C:\Windows\system32\Iinlemia.exe
        93⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        94⤵
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        95⤵
        Modifies registry class
        
        PID:5660
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5708
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5752
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        98⤵
        Drops file in System32 directory
        
        PID:5796
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        99⤵
        Modifies registry class
        
        PID:5844
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        100⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        101⤵
        Modifies registry class
        
        PID:5928
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5988
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        103⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6028
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        104⤵
        Modifies registry class
        
        PID:6088
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        105⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        106⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        107⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5244
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        108⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5320
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5372
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        110⤵
        Modifies registry class
        
        PID:5456
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        111⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        112⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5600
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5696
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5760
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        115⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        116⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        117⤵
        Drops file in System32 directory
        
        PID:5972
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        118⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6128
        
        C:\Windows\SysWOW64\Kpccnefa.exe
        
        C:\Windows\system32\Kpccnefa.exe
        120⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5356
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5504
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        124⤵
        Drops file in System32 directory
        
        PID:5656
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        125⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        126⤵
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        127⤵
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6100
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5296
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        131⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        133⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        134⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5676
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5792
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        137⤵
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        138⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        139⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        140⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        141⤵
        Drops file in System32 directory
        
        PID:6152
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6200
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6248
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        144⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6336
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6376
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        147⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6424
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        148⤵
        Modifies registry class
        
        PID:6468
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        149⤵
        Drops file in System32 directory
        
        PID:6508
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        150⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        151⤵
        Drops file in System32 directory
        
        PID:6596
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        152⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        153⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6756
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        155⤵
        Modifies registry class
        
        PID:6796
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        156⤵
        Drops file in System32 directory
        
        PID:6848
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        157⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6936
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        159⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7028
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7076
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7116
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        163⤵
        Drops file in System32 directory
        
        PID:7156
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5684
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        165⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        166⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        167⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6408
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        169⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        170⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        171⤵
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6744
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        173⤵
        Modifies registry class
        
        PID:5552
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        174⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        175⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6464
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        177⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        178⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        179⤵
        Drops file in System32 directory
        
        PID:6836
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        180⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6884
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        181⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        182⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        183⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        184⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6208
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        185⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6256
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        186⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        187⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6792
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        188⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6920
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        189⤵
        Modifies registry class
        
        PID:7012
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        190⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        191⤵
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        192⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        193⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6192 -s 408
        194⤵
        Program crash
        
        PID:7136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6192 -ip 6192
1⤵
PID:6344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebnoikqb.exe

Filesize
55KB

MD5
867b633c1c0b622e9ca5a7a5b67eb406

SHA1
865290cf26995639cc5e41c57ed54e308301c806

SHA256
3f55492a7ea355d48b600afef7fb63dada0b825b086a77719d8cf68b8bc2d26f

SHA512
f2bb83922c08270a9c699263f2a4639e27b0eae0da06664b4c99c799d29a37d58f9392c3743523586cb18bb4cb1ffe278999548aac2d0a2661744ee48273967a

Download Submit
C:\Windows\SysWOW64\Ebploj32.exe

Filesize
55KB

MD5
d6171fa6747bf97b817ca68ead721ccc

SHA1
6e8f67f6423af8f7e6b8e1ccc6d44c0b89125777

SHA256
1962ea5ad19477127cbd10eef525ecde7043484a6a550daeabab21c65c0931c7

SHA512
922abf034407e893f612b1b11503adf9ef3bd2b763e03685d3022163d0cffd2ae03250c8d0ebf8fd934a0acbdae8adfc59015724534efd9820fd65388ebb7ff6

Download Submit
C:\Windows\SysWOW64\Ecbenm32.exe

Filesize
55KB

MD5
e87b7941a7eba3e4c54028bdb230f615

SHA1
2793057d25fdb011e5ce9bbf0c5bba075bc81668

SHA256
df8fc1b75f38ac1a0e29bed233c8725d2d5dcfb9a5561cb34893e78b561da12a

SHA512
078af406690adfb57d223a198b231b77ad10d3de908c60ebbcaac4371c7fd34e0259a8cb07babebc06533cd4d2f342d6491edd57b30629bc9ea7d35434c0d8f1

Download Submit
C:\Windows\SysWOW64\Efneehef.exe

Filesize
55KB

MD5
d2d214ee12aeddc9d9e60e67ab39b98f

SHA1
59e83611a16629f42f38ee3c7df390c71c17ef3d

SHA256
0b19f40db49f8380575091dcb67d4fbbecef184a1c60bcbdcfa111162a02d1e9

SHA512
e408d433ec4b079f363c6005a3397b2d5bf8ba5e517b4d065b6e679672e571e8d0b745fde9b4f7fac02a7e79d9a2fe21d78a9fc685491cc843007d8b9432a0cf

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
55KB

MD5
08765669bb1eb2fe255d638bdcdaaadf

SHA1
1b05e20c728d391583011c4634bb91af2f423271

SHA256
9ecd8df44b7f0c3eecce8ef04fcf48d55d35a11266fba031144a004967c087b0

SHA512
5e436f209959652936e7905851091bb1fda70b49613da674efacf062816049ef86c862a32184c051ccb285c6e9bc43d216e5831e31aef3e92b2e6438b12615e2

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
55KB

MD5
e86939f8c5d4be4059a162662c302078

SHA1
c8ead6c34e1af055c1f13de2188c3befbd8afb90

SHA256
a5434ee9f79cf05c6f246a2c4693e85b40b30f4331913f21b7f2c61d5b08911d

SHA512
173ffbdff3ece8ed2e6d161bca38bca8c86c616ab5113e9057a1a90e9bbf3ca269ea934e90c0cfd9a14d9d3332555ca6b697e6fc50d39f5c6740ee8a3f203d3e

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
55KB

MD5
eaafc41a309e3cf1f59c416317494594

SHA1
2198dbce5daec919f4ab55bc240a17a89855408f

SHA256
de9d102f42ce334cca76f0c688affd3bd08ffa97691a586706da7e21f78d80d5

SHA512
d72f75dff2184085c909675e64100f5ad65bbc44853a0d97c914abe6eedd0f8607dc384f50de3ff707b302dd54ea020c24b26d47765267b543dc2c3c1dd5def5

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
55KB

MD5
9b9337076bedf06ddcb7e4a566224844

SHA1
585ad0afc54026e86544bff4a8c561d210c707d2

SHA256
d9890c74e10d655772ff78db6bb91c3d0c9e95cf82fbb9bc84a791a2efea812c

SHA512
5fb35504969591f6fc6dbd71dad17311d3ea5dbc2e6b6a8bddb1a9759b465f4f961d70292d9d1cab7999a77a4532db279676e1ce0dcc39673f4dedebc0eecf73

Download Submit
C:\Windows\SysWOW64\Elccfc32.exe

Filesize
55KB

MD5
60f3c205dcee03709a535e57f6cdf74d

SHA1
8010d99ab055fd1bfb2ec45da53ad5264070dacc

SHA256
1127d5434ce3d2ea0e4f229bdd81db8bbdc379ecdc99833e8f9990d8b7771a71

SHA512
a27cf956a0fa2f8123afd3e146d3ea8b215863c3ebfb0f46408b23000ac0d9aa45e3342859542773de0386690ee751ff690dbb37426439e435b3e134a2b636cb

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
55KB

MD5
e2d2033cbae2f5cc4bfff19bcde67851

SHA1
8d5e9e0051cd938f48fa085f852377b3a4ae6948

SHA256
22e0101d1cb22a127c6f9bc44d015fcfaac1457ee2622852ec4e3957296b4823

SHA512
2d001c750180591ed80919e07b41a47307e6487621e5389eeabd10331eb0f015071278d8de40717e68e2271add55dbe0f3b1f44a9a65e8032ce607c6f6209055

Download Submit
C:\Windows\SysWOW64\Emjjgbjp.exe

Filesize
55KB

MD5
5eff2c239a01060e14896630ad9baeaf

SHA1
fc777d99f9b69f7bb9c1eb22ac92a7f32b32443c

SHA256
51018337a2fdde5135c2956b0209318aaf9a5a745233790453dfc2ff0d3c2faa

SHA512
f10852d32a689bfa768606ff88f923d0e5f886652551956177f2b539d6aba14dca910e5705d6d5849a3cd4fcbf08146894b6a2ceed3da41d6cba5b124331423e

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
55KB

MD5
c17da1370e73f95b0ddb5f579df7fb1d

SHA1
562058b856e7b25e7a100f0659b1c01d79affc73

SHA256
78e0e3792ac4d298e76f2ba02dcc63a515ae0bba21bc13aee3ca2082350a160f

SHA512
358027e837021974b0263e674f6d3a2c0a1c26d46afaaea3efc3d95ea5983408585b452419341f065fb2fb1438b81272095208d9e8e3f8626298a01820785474

Download Submit
C:\Windows\SysWOW64\Eodlho32.exe

Filesize
55KB

MD5
f399d2d7f512f8385022e79f8fea5070

SHA1
a5620cde714baadc359a2925e4d840fd703076ce

SHA256
0167e02f5f1796acd15b212c3f010e9c10f5e8487aa1d2abefb2e2dbd3fdfe3c

SHA512
f8bdbd24ea0764921ea241dd36ee0a1be5eda40cb34203380b41c7c68cb20e44dc679b4bf8a5fd01b24b3e0f330dedc6c42319ff3e97f5b6929874beea644515

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
55KB

MD5
77086ccdfcc76675071693b2acd650f5

SHA1
29eebdbfff44ff1b1cf69ba0a51e060e12dac378

SHA256
41636b1ce524a17995e9eecc7c1f83a8737c976abd8365bf02e019ed7ccbcad8

SHA512
ceb347e4ac249f1d4643f017e23f32b223ce57a5247a2ec939d4bd39916348465d0af8dd79c3757cae6173060a2f9a2b328de4b1cd29c4b43e93077d959a5c4e

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
55KB

MD5
eb4d71ba5aa81816bc1832cd8e5def79

SHA1
f412321a18104d60e9d732a8a0f1d61a8b260d12

SHA256
c058a5d7fc2c1f5516abf76012f26b7e0c8af5cc4a1dba52e7f35c5d1a943afc

SHA512
f9bb3a5dcf2d6aa54f345a73acdadf26f6f7e077ac6cdf846d988adb536fbfa75b43153f3784d20a4c3208f390237dcb816855cfe8068ac90a92b73c3cb2e062

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
55KB

MD5
9859cec37b68352e40de881d412bcd26

SHA1
1be21f8ea7568608a705dd659438eed83a2dc1ff

SHA256
014e92440722301146a9f49d6ea5af681367f291c8ade0aa05b22d5ea8806085

SHA512
2251c1ca87aa587b9d441d191bd65158e9cba1bb50ecfb5eec206dc38b4d44b17035575915362200e1c92257847a6a7a98105021ecb0a15740cc938c4910027b

Download Submit
C:\Windows\SysWOW64\Fbllkh32.exe

Filesize
55KB

MD5
8e9451a3d96090e32420f1e38cd9d4c3

SHA1
ae80288407fa6c6770d44cc142991499e0e78499

SHA256
f94cf2607149b60027ddb197cf4893894c35d86d679ccd4e09372d79cc77ed61

SHA512
bd5b3eeef56d08cd45092abd1dc69cb1f23556f787bfb2bafe66a5ba07a42d7ceb23699a6f705297ab3930144c7a63f03a6397903645a0f79f05a7a1ddbe2f82

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
55KB

MD5
5c57096c5e401aa2aed108cbf11a7164

SHA1
eb10b9bb3541e82092c400169bac13b0934a7931

SHA256
4d931a1efd00154cbb69a48f8032fb5f30c4ecf2ae47543c6f131d13be57001b

SHA512
0442a4f0ae84513b869dafc78c27a6732e4ff1f2ee9bfda70134fa10f5d9ffb35e4552a49bfd61cc0f307b84cdc728e760eca7fc0acfab6e4baea58d1b266282

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
55KB

MD5
8076449f1abfc16b761c8939328f8fb4

SHA1
c7ade3aaa7f05d3a103c7b9520c3bfd4f457b9c4

SHA256
c5e3fb86a93192b82237bf734f343a5be2933d382759c2cbc1459d2f063b2477

SHA512
cc54db2b21defde95a570db941a78f199afe56663dc584c36aa78f43d26b19d4637a4f875f05911b33a9f6dd808ae9e7f517f5414a6e307b0a8b73cf6c1bd26c

Download Submit
C:\Windows\SysWOW64\Fcnejk32.exe

Filesize
55KB

MD5
19cdc4a0d348d94269e1e7518bdc48c6

SHA1
c33bf830cb493abc4e9bf220fa2fbffebb731b5e

SHA256
b0690e1205816f939172172e006e2ea0891a19f26f04dca950b30c9461cf90fe

SHA512
fcf1a678e4b402dba0bbf33f14a81c77d155f45be426a0a83a3a2b7913862219efe1e4bc9468a681969bc87f30c8a345de26eed2916f8e9ada2a4e1d2f82fd7d

Download Submit
C:\Windows\SysWOW64\Ffekegon.exe

Filesize
55KB

MD5
4500e76a37fba73983a8fdd2cebae760

SHA1
33d0d71608a5fb3fd873300657acf30b8d5b08a6

SHA256
fc1c846abe2fbf85552840210df445f292e9d49af416678371274a18244a7cdd

SHA512
0686890afed5e4f579b20c46e77cd1694457bcdb82228a1b8cc7b054be8e20d67e57c04825da8f2e7af5c70c312626118faab68812502ec8f1bc26a24c0bcd3f

Download Submit
C:\Windows\SysWOW64\Fflaff32.exe

Filesize
55KB

MD5
659fccbe88d178e5594bbe7c3b35690e

SHA1
28fc5b93da7f3d89431e51b6ea42fdc2dc326184

SHA256
6fc3686862e4bb9cc7894f9b402e9b99238db098c8c9f6326a9e29b8e9773f31

SHA512
ced8ea4ca16ce46b71ecd6608ebde1d40930b70c95e911aa0403ab3f5269e3970e9dee1367d4c8d1a29c0e68845aaad7227397c4c1cf1945d8d69295247e8304

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
55KB

MD5
c9237849a80a49c684934ea8507d004c

SHA1
ec92f66f563e5534d6c90f31b5a4b9a6daa050b6

SHA256
19e9bfd93e4a0f0be2219e05bfeb6d8d5a6b48dccb28865d050b5504583d21a7

SHA512
fe7608b16cf6867c7d7cab28e197f23870c9d7a91ceaabdb4775eae0a802d0ea98ed5935936fa26c3cac685544b9e30f1d60cc8dde1e438c3470e8498999fa85

Download Submit
C:\Windows\SysWOW64\Fijmbb32.exe

Filesize
55KB

MD5
9074f27a438ed0875a91e2d28858d871

SHA1
0d9705a9639794d61b94eec07afe19c8c8bc652c

SHA256
6b1fe005ec5a8a5489c0b6303d5c51c732dbe3b344a0e24ccc5472993c2bf707

SHA512
0df38ff1cffe2ad24ccc69b0927d284d2a73d89bf7edf1536540d5727299c68e70d91cd321e6232805f33b20076ecd536777a0829c3cdf91433d14a55233cea6

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
55KB

MD5
f9771fc7d6e5b48e19096d39eeac9aca

SHA1
df0d3bb274389f048825e8db9c72a163b05cc0b1

SHA256
8a45702a40b516533b6f8ee92973713eb94c122798c199c380c6e2a4ec3825ba

SHA512
9e6959c3fa3cca586bc8d753505615195b5fa56ec27915f5681152f53e40b1038ca2e0c059d5cbd79641ed350e54b632839e4d037952a9b4ca08da7f94e56413

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
55KB

MD5
b3cfc181d9e22503c97eeb76567f5cb6

SHA1
9b03fce3724ff67979d0296a006ace04966693bb

SHA256
528d155aed4b0f5aa082f8d843b07e6287141e8ea2231037d4657f8417923a68

SHA512
19d1cf68e1995bcb59265809fac7317e38d0cc2ed33e5a556e7b21d1eed002c319aa3c16fab6710176278cc9d23b2cb8310d9ad24a1fe9e3971d98f5d8f9d5ac

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
55KB

MD5
710d90caa647c4f6336ae50e8b39337c

SHA1
f659249a0f30424a49ad2b8cfbf613ffdeb489d4

SHA256
9f4660a4b44380c712258d579584168ae64ca62518e9d3da9bd73fc1e177e58e

SHA512
cbb3d545cdb7bd2ca2a55aaf2f46ceb81cf369fde2016ee9844d5ab73602c0951d2b710d3830a49aff940e383c58476882ea7293f66fb882ae44a09f4a07630e

Download Submit
C:\Windows\SysWOW64\Fmclmabe.exe

Filesize
55KB

MD5
48217e6b1bf1a8b4990d7f9ccc1dc4c3

SHA1
8ee01494af25f1ea6f690c219056a610ed16bab9

SHA256
601fd0e7d47edf8c7db23733c857c8f648e430b62ef3e2d36abbd730f38a30a7

SHA512
6bb512a8e2ed09a93b502b83d48b36e3448da2f69884b54f765e3fbc4d809a6c053a75ac5a7dca09d44f9cf700cc58c9a53888e34dc9c72b4b4c31d4a17c9ee9

Download Submit
C:\Windows\SysWOW64\Fodeolof.exe

Filesize
55KB

MD5
7a713157e6930510abf414426d331bad

SHA1
7bd9e7a846d9405f511b11ca9678f585fbe7e6dd

SHA256
cce14bf46405a4a815e985f84e6ec0000db59386ced4ebcf74b7e1528bbcae73

SHA512
240845e6a930536ebb324f8671beb6feff220d40286b13d121bce34a245c91ccf866d0c446f697ad458269755e9194135b590a3e99166d8d26c82490b9b787e0

Download Submit
C:\Windows\SysWOW64\Fopldmcl.exe

Filesize
55KB

MD5
f823ae4120c4b02c3bc057c1d475b8c5

SHA1
b14e0040277498fef11156802398582a6c00316e

SHA256
38da2be1c8746e28b7c411421de9faba0624d94b8f01d47bbf4f67c5a35ade9b

SHA512
8b0e83b99a23077d35cc0bf4f39cf6fe61833d656d64cadad8401f9503c9119741a92998adeb499bbf619198e5c22199a4582835be55c7adb200fc7ef4cfd999

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
55KB

MD5
1e3ac0f5dc3a5c35013233dac688d33b

SHA1
3aea66666948ad4ca5e4078bdef411524ef93c9b

SHA256
796ae4ea7c21a102636fede7acbb3aa06009835a9ffa2462cdd433280c76fe7e

SHA512
965275632f5c35d32f5f9b91f513bfa490be3d2f1230cecf61e5660097d8d9c865bafbf3c26e5ef6576dc5eebb3dfdb328188c69b12c5cf23463e1a785305379

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
55KB

MD5
8518b4b491c5b57d8c7ce35f63ac3dfc

SHA1
66472efc7b6974d62f04b00907ee04f0f579292e

SHA256
8126ad0b6b1ef2dcde3359d3674d6a63f934b19e9a4a74ee8531b0b2d2288ed3

SHA512
f1a1f64da76a0c0d0b7846e5218663e51598c085aa198e83cf299c035a75ae2ac3cbeca7d2d113cc5ee84ccb0c34bedbefa57504b3c2a92afc96e41907729056

Download Submit
C:\Windows\SysWOW64\Hadkpm32.exe

Filesize
55KB

MD5
0fb80416e8375c276938bddb7906b38d

SHA1
a67ea31a67be8969b4850bc22c56ef8a4a8dde54

SHA256
06a10bf0926289921b3236152980b5e733087d86621a06783726559bf26bb902

SHA512
dee4d6212725ab8556495bc6b8de2f09ff3efaf39a3ce22542b00e19725e5c3786a7ad72122aa64785bb52894928501a715efccb5d7188b72debcc265abf2a13

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
55KB

MD5
a87b6c0ff45ede451206f4ddeb5fea3a

SHA1
fbeee7a28c69dcc7937d94422baccf2d7cdd83e9

SHA256
dd0106dd8c7d1943e23955a83c09dcc332a1a72c92fff89dcb4d73f2fa075fe8

SHA512
b42bc9d0757b4ef9ec2a84a228f621436571523747b51e4af1628c04a58aa878b45d1e4e3c2a72c1a0ff72d07c268e7ea6bc4f2d5f3aa6acc057f5241562194e

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
55KB

MD5
a0a19de1f84b6fe501c0a5c66ae27006

SHA1
0d78124c5ba0798ab3c6fb95ffc75398eb63fbc1

SHA256
e15dc5ee577f2d735a6b92b8f5d4674f9d23811e361329843260fae975bd8779

SHA512
48545a615fc73c95bac435c9d8631f8a755d695d6befadc2a1888f9afb4d3a02752a896e1dfef15e8826cfc30892298109d739f800d01779973da7c8db37e59a

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
55KB

MD5
a8840238a1165e21677274b673549bc1

SHA1
127c6fcbb386f67ac45934c540febfa9f5c0935b

SHA256
b285d5dabbeee25ea1dfc8ab1b05c2e94b6e2a5164e3bc08525aafdff0898a18

SHA512
1ddde6687ecd217a5c330b90a0a6dcb1f5affb4b69ec412038203bbf4152d4edd118feef8979c0607dcb03109133f81d69f6ea6b7c82e58d52ea0ecf3ec950fa

Download Submit
memory/220-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/412-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1320-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1704-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2512-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3076-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3352-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3464-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3724-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4088-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4104-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4464-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4768-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5016-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5464-1343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5548-1283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5552-1300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5720-1342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5792-1337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6192-1280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6208-1289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6232-1308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6256-1288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6268-1307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6364-1306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6424-1326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6468-1325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6504-1304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6508-1324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6548-1287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6632-1302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6768-1290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6836-1294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6848-1317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6876-1281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6884-1293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6936-1315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6972-1292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7012-1284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7028-1313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/7076-1312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads