25621215248fbc15e1e705513ba07a4685cd83eefc647f83c668662d57f733ef

Analysis

max time kernel
143s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25621215248fbc15e1e705513ba07a4685cd83eefc647f83c668662d57f733ef.exe
Size

72KB
MD5

475c73d9394374473c6c0f8ad829bdc0
SHA1

1f4c9d04c7eeab0b26190ded3fdce16337c36725
SHA256

25621215248fbc15e1e705513ba07a4685cd83eefc647f83c668662d57f733ef
SHA512

79d9b3adb9f491b5f37ffad6114abb32a36e2bc49b6719f276232b9587c7b7ba04f9f4817a28db74205ea3c1dfb604c5182b3e8b270c5dc7a125451f024ff526
SSDEEP

1536:8Xv/s5kV3VzW3t6OdljJ/U/m/lifPgUN3QivEtA:0M+Kd9J2mofPgU5QJA

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclakimb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijkljp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjepaecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hapaemll.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jidbflcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjcclf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gameonno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadkpm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcedaheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbaemhc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqkocpod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmapha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebbidj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqmlhpla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpklpkio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkojb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqciba32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hippdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipnalhii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjqeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdcpcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbanme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe

Executes dropped EXE 64 IoCs

pid	Process
3708	Dphifcoi.exe
1692	Daifnk32.exe
1244	Dfdbojmq.exe
4980	Dlojkddn.exe
1788	Domfgpca.exe
3788	Efgodj32.exe
2024	Ehekqe32.exe
3648	Epmcab32.exe
4504	Efikji32.exe
528	Ehhgfdho.exe
2148	Epopgbia.exe
3592	Eflhoigi.exe
1632	Eleplc32.exe
1896	Eqalmafo.exe
1724	Ebbidj32.exe
4848	Ejjqeg32.exe
1368	Eqciba32.exe
4496	Ebeejijj.exe
1232	Ejlmkgkl.exe
2060	Ehonfc32.exe
1820	Eqfeha32.exe
4076	Ecdbdl32.exe
1624	Fbgbpihg.exe
1496	Fjnjqfij.exe
5064	Fqhbmqqg.exe
536	Fbioei32.exe
1156	Fqkocpod.exe
4476	Fcikolnh.exe
5100	Ffggkgmk.exe
4736	Fjcclf32.exe
4196	Fmapha32.exe
4500	Fqmlhpla.exe
2424	Fopldmcl.exe
544	Fbnhphbp.exe
4628	Ffjdqg32.exe
4608	Fjepaecb.exe
2120	Fcnejk32.exe
2432	Fmficqpc.exe
4380	Fodeolof.exe
1772	Gqdbiofi.exe
3128	Gcbnejem.exe
3464	Gmkbnp32.exe
4240	Gcekkjcj.exe
712	Gjocgdkg.exe
3736	Giacca32.exe
3944	Gpklpkio.exe
3628	Gbjhlfhb.exe
3536	Gidphq32.exe
3144	Gqkhjn32.exe
2848	Gcidfi32.exe
1872	Gfhqbe32.exe
4832	Gjclbc32.exe
4720	Gameonno.exe
4072	Hclakimb.exe
2932	Hjfihc32.exe
2812	Hmdedo32.exe
3164	Hapaemll.exe
3460	Hbanme32.exe
2604	Hikfip32.exe
2404	Hpenfjad.exe
996	Hfofbd32.exe
1044	Hjjbcbqj.exe
4488	Hmioonpn.exe
4660	Hadkpm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fopldmcl.exe	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Gbjhlfhb.exe	Gpklpkio.exe
File opened for modification	C:\Windows\SysWOW64\Daifnk32.exe	Dphifcoi.exe
File created	C:\Windows\SysWOW64\Agbpag32.dll	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Ndninjfg.dll	Jmkdlkph.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Lfmona32.dll	Efgodj32.exe
File created	C:\Windows\SysWOW64\Epopgbia.exe	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Gcekkjcj.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Hmdedo32.exe	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Ipegmg32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jbkjjblm.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Lgabcngj.dll	Hclakimb.exe
File created	C:\Windows\SysWOW64\Ifhmhq32.dll	Hbeghene.exe
File created	C:\Windows\SysWOW64\Jbmfoa32.exe	Jidbflcj.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Dlojkddn.exe	Dfdbojmq.exe
File created	C:\Windows\SysWOW64\Cichoi32.dll	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Fcnejk32.exe	Fjepaecb.exe
File created	C:\Windows\SysWOW64\Icgqggce.exe	Haidklda.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jbmfoa32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Eqciba32.exe	Ejjqeg32.exe
File opened for modification	C:\Windows\SysWOW64\Fmficqpc.exe	Fcnejk32.exe
File opened for modification	C:\Windows\SysWOW64\Hcedaheh.exe	Haggelfd.exe
File created	C:\Windows\SysWOW64\Honcnp32.dll	Jfffjqdf.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ipegmg32.exe	Iabgaklg.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Efgodj32.exe	Domfgpca.exe
File created	C:\Windows\SysWOW64\Gpklpkio.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Aaqnkb32.dll	Ipqnahgf.exe
File opened for modification	C:\Windows\SysWOW64\Iiibkn32.exe	Ifjfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ibagcc32.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Fcikolnh.exe	Fqkocpod.exe
File created	C:\Windows\SysWOW64\Denfkg32.dll	Hfofbd32.exe
File opened for modification	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Ijdeiaio.exe	Ibmmhdhm.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Fkokhc32.dll	Dphifcoi.exe
File created	C:\Windows\SysWOW64\Epmcab32.exe	Ehekqe32.exe
File opened for modification	C:\Windows\SysWOW64\Jjpeepnb.exe	Jpjqhgol.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Gagaaq32.dll	Efikji32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6876	6564	WerFault.exe	261

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmona32.dll"	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diefokle.dll"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjnjqfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hofddb32.dll"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgaem32.dll"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbjhlfhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfihl32.dll"	Iapjlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbmfoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdedo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dakcla32.dll"	Iiibkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bademghm.dll"	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denfkg32.dll"	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogedoeae.dll"	Eqfeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hapaemll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqnhjk32.dll"	Impepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibgnfha.dll"	Fqhbmqqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hikfip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdcbljie.dll"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdcpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifpphha.dll"	Ehekqe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejnmepn.dll"	Eleplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiibkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eflhoigi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejlmkgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffjdqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lolncpam.dll"	Gcekkjcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfkp32.dll"	Hpgkkioa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfffjqdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijolgl.dll"	Gqkhjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kinemkko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjnjqfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hihjpn32.dll"	Fopldmcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klebid32.dll"	Hbanme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	25621215248fbc15e1e705513ba07a4685cd83eefc647f83c668662d57f733ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqciba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gameonno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3708	880	25621215248fbc15e1e705513ba07a4685cd83eefc647f83c668662d57f733ef.exe	83
PID 880 wrote to memory of 3708	880	25621215248fbc15e1e705513ba07a4685cd83eefc647f83c668662d57f733ef.exe	83
PID 880 wrote to memory of 3708	880	25621215248fbc15e1e705513ba07a4685cd83eefc647f83c668662d57f733ef.exe	83
PID 3708 wrote to memory of 1692	3708	Dphifcoi.exe	84
PID 3708 wrote to memory of 1692	3708	Dphifcoi.exe	84
PID 3708 wrote to memory of 1692	3708	Dphifcoi.exe	84
PID 1692 wrote to memory of 1244	1692	Daifnk32.exe	85
PID 1692 wrote to memory of 1244	1692	Daifnk32.exe	85
PID 1692 wrote to memory of 1244	1692	Daifnk32.exe	85
PID 1244 wrote to memory of 4980	1244	Dfdbojmq.exe	86
PID 1244 wrote to memory of 4980	1244	Dfdbojmq.exe	86
PID 1244 wrote to memory of 4980	1244	Dfdbojmq.exe	86
PID 4980 wrote to memory of 1788	4980	Dlojkddn.exe	87
PID 4980 wrote to memory of 1788	4980	Dlojkddn.exe	87
PID 4980 wrote to memory of 1788	4980	Dlojkddn.exe	87
PID 1788 wrote to memory of 3788	1788	Domfgpca.exe	88
PID 1788 wrote to memory of 3788	1788	Domfgpca.exe	88
PID 1788 wrote to memory of 3788	1788	Domfgpca.exe	88
PID 3788 wrote to memory of 2024	3788	Efgodj32.exe	89
PID 3788 wrote to memory of 2024	3788	Efgodj32.exe	89
PID 3788 wrote to memory of 2024	3788	Efgodj32.exe	89
PID 2024 wrote to memory of 3648	2024	Ehekqe32.exe	90
PID 2024 wrote to memory of 3648	2024	Ehekqe32.exe	90
PID 2024 wrote to memory of 3648	2024	Ehekqe32.exe	90
PID 3648 wrote to memory of 4504	3648	Epmcab32.exe	91
PID 3648 wrote to memory of 4504	3648	Epmcab32.exe	91
PID 3648 wrote to memory of 4504	3648	Epmcab32.exe	91
PID 4504 wrote to memory of 528	4504	Efikji32.exe	92
PID 4504 wrote to memory of 528	4504	Efikji32.exe	92
PID 4504 wrote to memory of 528	4504	Efikji32.exe	92
PID 528 wrote to memory of 2148	528	Ehhgfdho.exe	93
PID 528 wrote to memory of 2148	528	Ehhgfdho.exe	93
PID 528 wrote to memory of 2148	528	Ehhgfdho.exe	93
PID 2148 wrote to memory of 3592	2148	Epopgbia.exe	94
PID 2148 wrote to memory of 3592	2148	Epopgbia.exe	94
PID 2148 wrote to memory of 3592	2148	Epopgbia.exe	94
PID 3592 wrote to memory of 1632	3592	Eflhoigi.exe	95
PID 3592 wrote to memory of 1632	3592	Eflhoigi.exe	95
PID 3592 wrote to memory of 1632	3592	Eflhoigi.exe	95
PID 1632 wrote to memory of 1896	1632	Eleplc32.exe	96
PID 1632 wrote to memory of 1896	1632	Eleplc32.exe	96
PID 1632 wrote to memory of 1896	1632	Eleplc32.exe	96
PID 1896 wrote to memory of 1724	1896	Eqalmafo.exe	97
PID 1896 wrote to memory of 1724	1896	Eqalmafo.exe	97
PID 1896 wrote to memory of 1724	1896	Eqalmafo.exe	97
PID 1724 wrote to memory of 4848	1724	Ebbidj32.exe	98
PID 1724 wrote to memory of 4848	1724	Ebbidj32.exe	98
PID 1724 wrote to memory of 4848	1724	Ebbidj32.exe	98
PID 4848 wrote to memory of 1368	4848	Ejjqeg32.exe	99
PID 4848 wrote to memory of 1368	4848	Ejjqeg32.exe	99
PID 4848 wrote to memory of 1368	4848	Ejjqeg32.exe	99
PID 1368 wrote to memory of 4496	1368	Eqciba32.exe	100
PID 1368 wrote to memory of 4496	1368	Eqciba32.exe	100
PID 1368 wrote to memory of 4496	1368	Eqciba32.exe	100
PID 4496 wrote to memory of 1232	4496	Ebeejijj.exe	101
PID 4496 wrote to memory of 1232	4496	Ebeejijj.exe	101
PID 4496 wrote to memory of 1232	4496	Ebeejijj.exe	101
PID 1232 wrote to memory of 2060	1232	Ejlmkgkl.exe	103
PID 1232 wrote to memory of 2060	1232	Ejlmkgkl.exe	103
PID 1232 wrote to memory of 2060	1232	Ejlmkgkl.exe	103
PID 2060 wrote to memory of 1820	2060	Ehonfc32.exe	104
PID 2060 wrote to memory of 1820	2060	Ehonfc32.exe	104
PID 2060 wrote to memory of 1820	2060	Ehonfc32.exe	104
PID 1820 wrote to memory of 4076	1820	Eqfeha32.exe	105

C:\Users\Admin\AppData\Local\Temp\25621215248fbc15e1e705513ba07a4685cd83eefc647f83c668662d57f733ef.exe
"C:\Users\Admin\AppData\Local\Temp\25621215248fbc15e1e705513ba07a4685cd83eefc647f83c668662d57f733ef.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\Dphifcoi.exe
  C:\Windows\system32\Dphifcoi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\Daifnk32.exe
    C:\Windows\system32\Daifnk32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\Dfdbojmq.exe
      C:\Windows\system32\Dfdbojmq.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1244
    - - C:\Windows\SysWOW64\Dlojkddn.exe
        
        C:\Windows\system32\Dlojkddn.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4980
      - C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Efgodj32.exe
        
        C:\Windows\system32\Efgodj32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Epmcab32.exe
        
        C:\Windows\system32\Epmcab32.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Eqalmafo.exe
        
        C:\Windows\system32\Eqalmafo.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Ebbidj32.exe
        
        C:\Windows\system32\Ebbidj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Eqfeha32.exe
        
        C:\Windows\system32\Eqfeha32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        23⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SysWOW64\Fbgbpihg.exe
        
        C:\Windows\system32\Fbgbpihg.exe
        24⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\Fjnjqfij.exe
        
        C:\Windows\system32\Fjnjqfij.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Fqkocpod.exe
        
        C:\Windows\system32\Fqkocpod.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        29⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Fjcclf32.exe
        
        C:\Windows\system32\Fjcclf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4196
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Fopldmcl.exe
        
        C:\Windows\system32\Fopldmcl.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Ffjdqg32.exe
        
        C:\Windows\system32\Ffjdqg32.exe
        36⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Fjepaecb.exe
        
        C:\Windows\system32\Fjepaecb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4608
        
        C:\Windows\SysWOW64\Fcnejk32.exe
        
        C:\Windows\system32\Fcnejk32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        39⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\Fodeolof.exe
        
        C:\Windows\system32\Fodeolof.exe
        40⤵
        Executes dropped EXE
        
        PID:4380
        
        C:\Windows\SysWOW64\Gqdbiofi.exe
        
        C:\Windows\system32\Gqdbiofi.exe
        41⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        42⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        44⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        45⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3736
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        49⤵
        Executes dropped EXE
        
        PID:3536
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        50⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1872
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\Hmdedo32.exe
        
        C:\Windows\system32\Hmdedo32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Hbanme32.exe
        
        C:\Windows\system32\Hbanme32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        60⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        61⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Hjjbcbqj.exe
        
        C:\Windows\system32\Hjjbcbqj.exe
        63⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        64⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        66⤵
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        67⤵
        Drops file in System32 directory
        
        PID:804
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4364
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4292
        
        C:\Windows\SysWOW64\Hjolnb32.exe
        
        C:\Windows\system32\Hjolnb32.exe
        71⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\Hibljoco.exe
        
        C:\Windows\system32\Hibljoco.exe
        72⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        73⤵
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        74⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\Ijaida32.exe
        
        C:\Windows\system32\Ijaida32.exe
        75⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        76⤵
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2808
        
        C:\Windows\SysWOW64\Ibmmhdhm.exe
        
        C:\Windows\system32\Ibmmhdhm.exe
        78⤵
        Drops file in System32 directory
        
        PID:4104
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        79⤵
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Imbaemhc.exe
        
        C:\Windows\system32\Imbaemhc.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:1208
        
        C:\Windows\SysWOW64\Ipqnahgf.exe
        
        C:\Windows\system32\Ipqnahgf.exe
        81⤵
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        82⤵
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Iiibkn32.exe
        
        C:\Windows\system32\Iiibkn32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Iapjlk32.exe
        
        C:\Windows\system32\Iapjlk32.exe
        84⤵
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        85⤵
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        86⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        87⤵
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        88⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5140
        
        C:\Windows\SysWOW64\Jdcpcf32.exe
        
        C:\Windows\system32\Jdcpcf32.exe
        90⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5180
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        91⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        92⤵
        Modifies registry class
        
        PID:5272
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        93⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        94⤵
        Drops file in System32 directory
        
        PID:5368
        
        C:\Windows\SysWOW64\Jjpeepnb.exe
        
        C:\Windows\system32\Jjpeepnb.exe
        95⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        96⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        97⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\Jbkjjblm.exe
        
        C:\Windows\system32\Jbkjjblm.exe
        98⤵
        Drops file in System32 directory
        
        PID:5552
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        99⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        100⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5684
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        103⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        104⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5864
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5912
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        107⤵
        Modifies registry class
        
        PID:5952
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        108⤵
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        109⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        110⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\Kckbqpnj.exe
        
        C:\Windows\system32\Kckbqpnj.exe
        111⤵
        Modifies registry class
        
        PID:5132
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        112⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\Liekmj32.exe
        
        C:\Windows\system32\Liekmj32.exe
        113⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        114⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5444
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5520
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        116⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        117⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        118⤵
        Modifies registry class
        
        PID:5796
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        119⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        120⤵
        Modifies registry class
        
        PID:5992
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        121⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5128
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        124⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5636
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        126⤵
        Drops file in System32 directory
        
        PID:5780
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        127⤵
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        128⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        129⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        130⤵
        Modifies registry class
        
        PID:5632
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5848
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6152
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        133⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6272
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        135⤵
        Drops file in System32 directory
        
        PID:6320
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        136⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        137⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        138⤵
        Drops file in System32 directory
        
        PID:6456
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        139⤵
        Modifies registry class
        
        PID:6500
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        140⤵
        Drops file in System32 directory
        
        PID:6540
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        141⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6580
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6624
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6668
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        144⤵
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        145⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        146⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        147⤵
        Modifies registry class
        
        PID:6836
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6888
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        149⤵
        Drops file in System32 directory
        
        PID:6936
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        150⤵
        Modifies registry class
        
        PID:6980
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        151⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        152⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7072
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        153⤵
        Drops file in System32 directory
        
        PID:7116
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        154⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        155⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        156⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6292
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6360
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        158⤵
        Modifies registry class
        
        PID:6432
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        159⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        160⤵
        Modifies registry class
        
        PID:6576
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        161⤵
        Drops file in System32 directory
        
        PID:6632
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        162⤵
        Drops file in System32 directory
        
        PID:6716
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6780
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6872
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        165⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6916
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        166⤵
        Drops file in System32 directory
        
        PID:7024
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:7068
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        168⤵
        Drops file in System32 directory
        
        PID:7140
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        169⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6232
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        170⤵
        Modifies registry class
        
        PID:6336
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        171⤵
        Drops file in System32 directory
        
        PID:6440
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        172⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 400
        173⤵
        Program crash
        
        PID:6876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6564 -ip 6564
1⤵
PID:6764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daifnk32.exe

Filesize
72KB

MD5
865a0928253d4a3d52cec415a4436ac4

SHA1
f67ca797bc7fbe3e5ac3cbe3dcb5421b8ba8800b

SHA256
e4ac973e57a8aa75f1c852f22f6ac13e2fc6aa43dd4d15b15466bbdac9df6c80

SHA512
481dc461de89e68805f58e90fa2134bb94031d4d00f3cdf4bc2310214b21b0beda1366565098220505ced2245ef6131da621494e5eac980c57529b4454832b16

Download Submit
C:\Windows\SysWOW64\Dfdbojmq.exe

Filesize
72KB

MD5
9cb488df2b9097540be078247615570c

SHA1
49e8850d31f627356bec73b5a084c3a046ec6dbd

SHA256
31cfb731045c93d553c131509e6e97870655810d706d43476b02d4f05e77471b

SHA512
da3e06b3b77b7e81828cb284bace649f8be21f8dde3bacd38907c6c3b7bf2fa6e110fa3c054c5e0677d1f7819552c56521f64ee83c70b02394fc6d33901b6750

Download Submit
C:\Windows\SysWOW64\Dlojkddn.exe

Filesize
72KB

MD5
094242fe21ffddff0fd6ac7b825e9ca3

SHA1
4dcf9d86ca74eff51b7d7b2aa32eee9c9a815cff

SHA256
d4ae1493d0015170b5081cfc69758ce0b052c78be48d07249e52cee9457048ff

SHA512
e3faddc357e47b9e6e85060d3d6c92ba1715f16e96a3fa01bdad52466b6630cd6a64e917e104806ba99d677dc89872de4b56acdc96982da7037c1bdc411dc903

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
72KB

MD5
8f465df70d962cc87c680f7b17e94c7d

SHA1
2565d11515e5543d2ac9de778698163d6f8f0046

SHA256
586ddbf470fcb3c6fa2515a9e82ef1a00d17760fe15374f671cd12b283daf470

SHA512
6f158e63e0db20ed2fcd289d2554d8f4535a9e000ddd6c566c2049e26f16ecde8dbcee8690fe353fd5d018dfff58abbf3f3eb53a19b45e8ce67a02800171a3b7

Download Submit
C:\Windows\SysWOW64\Dphifcoi.exe

Filesize
72KB

MD5
45b73b8b0b711e9547901f0bc86e6a7d

SHA1
4120a02a1d206e38963943d343910675d2ed65cf

SHA256
cbfdbb41c98ba5a49c19da3ded8864651dc3051290f4527b48f0e4993a35e8d4

SHA512
42e113051cf39c02f8391ec7ce0ccf71e2b396b624d054b784e9f59dc812c8fcd5ad726eb80180cffcb220e567d1aa87a07a1707630f8079afc88cf3c3b2cddb

Download Submit
C:\Windows\SysWOW64\Ebbidj32.exe

Filesize
72KB

MD5
3dd3dc0fbf2b527095a3381250eb4060

SHA1
a2390810824289175abfdb01e70ee60a1e38ad07

SHA256
1b6353f7089cc97b3a60a60d8bca9fbf58d7ba10b3e9f6c554dddb146179fa8f

SHA512
55c7b2d777e9db232765d850c2e84459af5a922c97054b11c2c0a81ae06393ea5c7f376a41fd0798584276ae47004fb01ca1bef1c409e264fe958df69d889186

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
72KB

MD5
c3c57d60087a69e00c27f835fbbb0b12

SHA1
2c6961f564a453dc97ecd65065f4d8b145322c53

SHA256
0b0cae8557404cde1db32ba7bed18b0e5a8909c32ab34efdf8f3ff396a72ffb9

SHA512
df9cf6692320d2d16e888c07e1ea9e49a0b45137ecc2a6605ae697936dcdd931033522dc5ed0b71432c68ef96080c92744f3b2e8d7841cbd31138cb3cd1e7d5d

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
72KB

MD5
4830a1ee495a7cbcbc898384ea4ba763

SHA1
6015a106690d055251dea4e1da2c4abc6095cbfc

SHA256
4f659b22c3d2e1247379d91c105762e6cc90f51ade55fd60f5e27265a7fc7974

SHA512
75c77cb24446034e80b2479f1605aea1c2cbc93ae4f1e0c2ab6c5c7ae95843ffc311bdf25be549502c57d2bb55adac243cb37d6c2b8deea45e3ca83fe92d6148

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
72KB

MD5
9b0a9e401f2856b10e39d4b657c6d28c

SHA1
bd65489de4e3cd9e0d4433bf589abede7572cef1

SHA256
41a4b1f3ec5546949e42038cb1e602bbce5ed23632de1db219607cca1c23b0c3

SHA512
0f07d0f0897e880a5adbe6b5892bd5811bc9306ea2ee8780272193fb04d789558bf58655f0de6a350cb5c4624a140da4c377be68caed418be7d639d176025522

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
72KB

MD5
c6b2e0202f69565479f883780c912c49

SHA1
9e40722f765f45156073a87fd30fade32cca4e01

SHA256
ca9ccd66f8f345a0dfd1d3b6df96f769c497fea7acad5805da1c448a0703d312

SHA512
fad862ec87a5ca23ac08d6aeb2ac3c02037f3b33b7c5edbae49ae78ba003389c1350edc6d76411bb92c912e6ce2db54e140696c1081108672f1156cf7db7d27f

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
72KB

MD5
e7e60f6b66f354b6b253ece422b2aaa2

SHA1
d32cd5ee0bb338c4f699712f23ad127970f24429

SHA256
92c58ed0d39de91ad35d01313884eb99b1b07ab9f6fb509e4ac02f763e3ef8bb

SHA512
ea0d26ffd3fd6e02b12201d8f7896b27f2ed2f8e9a8553a28832631b8daf5bb5cc7937af3cd3b78d51fa2ac708eddbf8bdbafaec2000df75c59f964df89c4efe

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
72KB

MD5
c0215b9b003673b2d14886b0e3f635c0

SHA1
5c79fc9658abed37c5c2d105ad2137530243acd6

SHA256
051ec951eb9ccfddaac3a65bd42999ca349c3e3f032296ed84aff34a3124fd6e

SHA512
5f412f8203d2409cd51e652967f4ba696ac7d49483c728d406aa7af7e5202ec0d411244600461f35b289d0209f7329a0f00524227939e0fe577c5f87c3a8d505

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
72KB

MD5
0eef355b100b5c533ba9e771f53a4c5d

SHA1
3822cfdfe867102a71aab667eae9936ac26f98ee

SHA256
cf75b698fd9d1034d94c03f7189e0794d3783a7c766f66981b09779aa728e133

SHA512
e35dda9a12e333bf942ba9c51d31099b0693b1535e6e98bc09c30d8b5738ef869b2cd913ef1abac7d39206d6ea50c8438de8cedc7347e012c32c7e0c6d46a88d

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
72KB

MD5
fa114a70fe0dd49e5ac72e59a6100091

SHA1
1785b8a8a842987a68ea975906689fa207333ed4

SHA256
ffc2c4503561f3c2d1bde6188c21043ddc774dc2d8e9d8e3ec480b2a336b7776

SHA512
edbb814d95ab805ce48bbe209a695344537aade1c5eeed90d95275bcbaf0816efa79ad24aa601c80036838bfafdea476eca17eef6ac773aa73c903d144c8dd19

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
72KB

MD5
32dd3345c348d8b4ba8aa2563fdca503

SHA1
a74cd7e728d92d524bcc219e576ad52495249745

SHA256
676f6e35d79151b3979c2abd1ba199aa5314cc6c95f802b3335093f2bd86c990

SHA512
529e12391455ae81d0562ec8f9c7a9bb63378b3bf9dfca97368053a6dcdebbba75722f6a851e45c2037d37ea4423f7adb733dbf02690793185fcab45aefb59b5

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
72KB

MD5
e5789fe90bd0f57b3c6cc6ccc948915a

SHA1
16401c9b965813e53421e64e7f1142c41d9f9243

SHA256
3d4dd550bb39b30af56fd1a36f7439541781f176289fbf7b609a0370bc936487

SHA512
3365c9cca84833ba84bd8249fec4c13ee76bfd99895a582e6bc2886af93fd3e7daf9b21c8b5efb94b22e1c8ba3189364c3ae8e893cffecab5b452847b73c189c

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
72KB

MD5
87d639f6bf8dfb1ec755940079276280

SHA1
fcdb636048a14a7739bc270c87a2e6ae6799d6f7

SHA256
287fc1b9e8beeaa22eca035a0a8105af0aa5368837dac3d7e08c681915ae2d4f

SHA512
cbe7fd8b07df9f43438cbf1011269dc47e117a50393412b1527eb3468c4b2dcadc78d7381e59b629124bbc35415c72e816bc0bdaca01142ae79af5015eedf04d

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
72KB

MD5
c10abd91eddc88837c42e3bded287f60

SHA1
d8cb5a0461061b1b76db791efac1d9b912465085

SHA256
a578e5c7f8c59d3bc154a1357a4c0af78d10b8f9915c3a13e9813b1904ea7cbe

SHA512
a2f87bf3d04695c75f1afaf0a86608f75c0b64821d79a44fbd537496f33c2737cb7bc394843c05494962d8771350b5b26acfda157bac4e9fd524f1cc5cd160db

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
72KB

MD5
3d80cd353139a77c3675086897e79eae

SHA1
8128b55c22d1fd6d4930482c3de5f09ef6958d36

SHA256
cb3a24a209fd9cf3f7476ba3f429ea7635c27da4330d4b1d65569c6ebb7666fd

SHA512
3141d4dd97ae9887e996a5104950590e7baac5585f4b282c87c71ad59a7df1b54097a6ce3406df9cd2df1db077cf8585b98f1b0bc36533ab54357e7d2a1a53e9

Download Submit
C:\Windows\SysWOW64\Eqalmafo.exe

Filesize
72KB

MD5
ecbc712e0bfbfc15552ea5abdb096d2c

SHA1
a6700629220844c4f276501466e272e7ed1ef136

SHA256
a1ebcfdde0e138aa8d16d28fcec6edeb05f65a289382c1c95e789511a9f6684e

SHA512
5dfae47cc24630dc1d2e82cda538c1b711a4bbf6c05c25c45f623fa1b718f7b1ed1ec3d5744c26abd9fb014eab1156f88f2b94230b1990c21b003a80e1beab5c

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
72KB

MD5
18cabb18c407108097dd235c8256e86c

SHA1
23ba8fecde6c84b5734335449b50a29af7501192

SHA256
40549a519d6b9a6e9d0444b776cbcf405554a31219e43b8bb9fa7b6cfb2e1617

SHA512
ecaca9254057a7978325367d816d074faa225e0950940047ccb895d45625f05b79131808a6f1afa822dfef77a914b0657ea0e6287cebf2d858d4cba2b27976ec

Download Submit
C:\Windows\SysWOW64\Eqfeha32.exe

Filesize
72KB

MD5
08e1835e32217ee8b8e40a598e257eb8

SHA1
9217cf7215bac4ebea9229157f1a07f2824517eb

SHA256
bbeb7a6539835744d37c130c5aa26a23108686cca416c3e7b6ad7253145cbb76

SHA512
6762337ef385daa73bb0e7b5bd5e96d4d897eb7f12a2c0d63f839a22998cdbb73e2729aa78489885b031fce13c9004808a1dae51535b32690053c637e59dcc6a

Download Submit
C:\Windows\SysWOW64\Fbgbpihg.exe

Filesize
72KB

MD5
15ca0380b145d953c1081afcce4797c5

SHA1
04afe1d6c4ee0d79561b121679f8ead5cc19d10b

SHA256
f11550a1fd2100bf9c4b34f2f21638b83f8fecd2d68f4d7ca1c5926a2ff0d63d

SHA512
2eb9e17fd04d07efae0d323ebfc645e6c5953baff8df08f91252e69572deb920b6722376b99512d42180f24bdab98aa67a53e1970ea3e27db6a6d830e4dfdc73

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
72KB

MD5
9e30268a10d1694a6ae3761b73f9935f

SHA1
0696883c0022b7f20920fcf05a4dd7cd9ea7fe4c

SHA256
e9240a176667c5bcc3c36f64293989868057e200972051d596ac664b815912e3

SHA512
c269d1b513ac480ad67eaafd27238b8a27dca688aede2e78417ebe96b66ee6a56bf44ce5801961db55ac64a517e162184a1ae99fd1bc90a3cecb7d21021a7ac5

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
72KB

MD5
be4de5d99c41f69c25c11f4b26749522

SHA1
fc41a5cb38475d7f747e7cf054f4d83f71cbd109

SHA256
07e001c6d4ef549b7b317554ef9d3eeaf23cb6a32aa7a7e2d5b83a8305e71d40

SHA512
60f7b6e10084faa07115bd93d3ef6fdf55fc0c556eda63f639fad1554f333237a8a6c9714bf3c61d57ae50ce052880cc5a9ab711187db323efce6cb4c117960a

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
72KB

MD5
bad9887d8d748e9e60d1189825f83fb1

SHA1
ebf9994dfd90e9e7fb7341312018ab906034274e

SHA256
a7d6f5ff53c504d631767ebceb8a7e2df4af3df449f7c0e846e648fb99d50a3b

SHA512
1550c3133f5797f1fca2a1aafd36d629e430e074356b4808cd82bf60be32e0edbd1f004d4879ecaddaf6ff0a3d84d74622fcc00e7f7362600c31c1fba468976a

Download Submit
C:\Windows\SysWOW64\Fjcclf32.exe

Filesize
72KB

MD5
ba86ba99187fcdebd7dce2b1027894f1

SHA1
fe6c4cd3124e9a56e59e9b4fca404f0a075903f4

SHA256
a1b384d8f2c7af237feec5dd0931cfcd0186c7369af4208e611b8c16fa5a324d

SHA512
dd81a0945761992fa95d0f8df2147e1645b89ec22d7f4c8ec2ea12dd8b59932cbfc5892f2bf852a122545b71bfe88eca9a38b1d94f2e002963fd51c82fda4d0b

Download Submit
C:\Windows\SysWOW64\Fjnjqfij.exe

Filesize
72KB

MD5
73ea13888ea825a1fc05e5444b76378d

SHA1
f6f6c8812591af02cd1327ad81f3c309926545c2

SHA256
d625982b1f34081d2cc61ecc52450095cdb9472d0b4ff71e338da86464dafecd

SHA512
97b03c8643c0ba3515a9110c05052512ea2fce8a0cdea4c5990b410d01cde6d4952ed7d609f14a1c5830d7e641cc44f03770add8c94d0af5a8967e0aad53bd45

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
72KB

MD5
882957cd6a5e7645088a8a01b8ca543b

SHA1
49e6a5e749063801fe6b8af16124b665f90f875f

SHA256
f3970efb6ff6cf1209f904169079c98d77f2b19a947d9f0f86c494710a860ade

SHA512
0be6fe956c3d44df77af589c5856cd5432cd113ad43e7cebf6baa38911a8916fd6b9d97df2e076c2e512c37cd2cb33e56103c222db17001759aaf3bb12c9c242

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
72KB

MD5
10ec562eba47005bf849450ee9f384a8

SHA1
f49e9d6864162bb4c7e95e3ea9c075a2d9cf9508

SHA256
8513ac288fe5e8143df1a62d75230bc25f522e0e95a1744b0e8e80e12f76eebc

SHA512
006c92204f6dc3cc75fe789b0f9a218565fee67120f6aa30fa386619adb6c249959ce16a1edd642e95f0441337effea934130e58ca40661d42b4275a40d6b232

Download Submit
C:\Windows\SysWOW64\Fqkocpod.exe

Filesize
72KB

MD5
f4d49c27762d40b1dc35f1f4f4bc33f5

SHA1
7f3f8e04058cc38da035c8ef9ec43b8e7dd07079

SHA256
35640ce03a5894865934d6c49bb12a0f60bff8d3bcd66b16781ed2aa608f8d5b

SHA512
75e7b146b4751751f1189dff0e25a47b63cfe06e0d5bbcdce26d917d2b67f9d71924466a9d74ba51ea95b9f63df5755be434fa66931560c790a60a42f4e0f71b

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
72KB

MD5
cf784ecf6d0e16a9b5df686d9ff7bebd

SHA1
84b7dd5c0004ad0f18b417fa1678499c5167992b

SHA256
24d563c85c4546f0756a06dbbb25c3246c82baae0263a710d53cbbe1d9d493ff

SHA512
a90942f957c756bcbb3fe00308739b49225b38e061cc82dc2b770063d5d1d1a81ae2acbba6aaf52286d3b810c2c06a05f5aa151b47d82484491f433170880eae

Download Submit
C:\Windows\SysWOW64\Gcekkjcj.exe

Filesize
72KB

MD5
fa8bb23b4af8edd03a90d84e9c767d9a

SHA1
4f35c26d63419e188e49a89f7223cf238ef309ea

SHA256
3f25d124cf1bad4cb060141605f96446fb1e9c5e8da817aa285a8261c6aeda9a

SHA512
f5c191b52beb860594b0d04918699bb40370983c6655df49a28e2125622103a005ae6e46b55cb2261dd733a52f9e2d24cff895907d61dc70c5d228f445a1046e

Download Submit
C:\Windows\SysWOW64\Ifjfnb32.exe

Filesize
72KB

MD5
fff4029710d4d90f1e8886cab2f910d8

SHA1
ce7e436452f9aad01b6fff1cf3cb40e073d5d6b0

SHA256
5354267b2794fb0a05aab6d139c167fcecfb1231104785cf4ce8f44dac97f6d2

SHA512
8699ad5a802ca47dc9cc24ed346f1678d903f926247364845c3516b8959807bee775d3c8a8d36146753e68a271945b30792876faf35ef190e5f5aced26a83823

Download Submit
C:\Windows\SysWOW64\Ipegmg32.exe

Filesize
72KB

MD5
a13dd5f7a79ac86c96bbb79e8b20973e

SHA1
962e3947600fa1f0dfb0e87721fc90cb8c0d0d45

SHA256
fca6d949c5d368363d5c8c5e0c5612e94bfb37106e9b0b82cc81ae2b22bd7d36

SHA512
b7aeb55335b3bb30a19315495fdda033076aa7ab890c84eaa9c7bf963dcf50c3df399920637015dc55e14ca0abe031a6da897939fad33a20a5c50e6b0aef74da

Download Submit
C:\Windows\SysWOW64\Jibeql32.exe

Filesize
72KB

MD5
6ea079132f6c3d9976f0b49e21442fdc

SHA1
4535387d16672fc313f66a7f9c09dbe20ec199b9

SHA256
ee878b8669ffbb662d5fd9d7b705b4c709708934d4a33f3da8c3cabdd68f1caa

SHA512
8bf8680ea646ffee06e134f84b3e7c1c4640859d9c500aaceaa3635939dd69b2d22f79ec02599104a21f85a17a534c11d5ac75d1226663dd7313205d663f5479

Download Submit
C:\Windows\SysWOW64\Jidbflcj.exe

Filesize
72KB

MD5
290cd53defd5a794417c50bc270314c7

SHA1
8185bba05f8618bbd3c05dbfe3b77fc302e327d8

SHA256
a2254ce08958e36db9bbbc5dc29ef9fd0917b9fadbb25d55eb7ec64b4c6c9a37

SHA512
5aa29b654789988a2e3cd3d8132ddc40405d8c075a4ec79c528f4a6baab8478f6489bb3db75f8ad9c567f2872dabed495746abb24671566eef125890e3e53a5d

Download Submit
C:\Windows\SysWOW64\Jpjqhgol.exe

Filesize
72KB

MD5
d6357756bec7475c2950beb09d6247bc

SHA1
27665872fb4b7891092158084cf6b01906969552

SHA256
1f3dad87c8aa8674aebcef836c2380401367aa8dcee0542554d4650bffbe08c7

SHA512
c2ceab707b9155f642577e6a537be439bf08980c51b6f0120654126a95bc37cc9d409ad4577303b58c7853bbbe7acdd17f952db6e68272b8f32c0e85cc18e49b

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
72KB

MD5
f2173decb4324400325b04595734b140

SHA1
491ba097b316fa745143482519f4ddc60d63192b

SHA256
34f0e0c34e2043035f67deaeeff8e0fd315e26e2dd5d0e213846d1bdb0d5d2c8

SHA512
726e4bd63aa1fa44db4a3fdf7f82628156d7ccd5345284ebd155fb120320f47fbe632706b87535a3d39f21bfe7c05c91c6bb230cb3cae58ebb41566d849922e0

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
72KB

MD5
894c5f09785803e19e4b919c43c5002e

SHA1
24317301569164c74c0099c1dffb06c1cb0237dc

SHA256
3102dfa20cc850f638021849e3eade88ef5f29db5de2b68c8dda17d1c8c3bdbc

SHA512
07536e3749ef3b7cf2646bd4f84b5837185337bb925b08cbcf8323a97f82fd369f2f77e550663bbd0b900c1085ba7ea4e310abef57390ab98b8408edfd3350fd

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
72KB

MD5
3e64800b850526fa1a8e18a0fd0f368e

SHA1
3c99706965dc4d238cfb2a3365999e3da0f97f1b

SHA256
d1015d64111e4dc8bc04269981b1c43505273271303a5074185a37d7715c653f

SHA512
0301fe040401cd984e7789fde328526b7416363223b9138349c12ef40e33385824f5cd470fda4fc15da7936b024629da864ddc7bf4d1aad363ae3688661ed48b

Download Submit
memory/528-85-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-309-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/536-220-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/544-293-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/712-415-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/712-349-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/880-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/880-84-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1156-327-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1156-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1232-254-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1232-159-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1244-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1244-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1368-250-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1368-146-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1496-302-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1496-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1624-193-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1624-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1632-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1632-210-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-21-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1724-128-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1772-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1788-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1788-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-181-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1872-395-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1872-464-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-218-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2024-141-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2060-173-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2120-303-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2120-368-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2148-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2148-191-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2404-458-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2424-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2432-375-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2432-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2604-451-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2812-430-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2848-457-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2848-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2932-428-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3128-394-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3128-330-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3144-450-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3144-386-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3164-442-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3460-448-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3464-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3464-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3536-443-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3536-380-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3592-201-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3592-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3628-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3628-440-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3648-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3648-157-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3708-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3708-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3736-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3736-427-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3788-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3788-132-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3944-364-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3944-429-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4072-416-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4076-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4196-275-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4240-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4240-343-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4380-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4476-236-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4476-329-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4496-158-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4500-276-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4504-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4504-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4608-361-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4608-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4628-294-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4720-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-255-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-342-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-402-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-133-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-235-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4980-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5064-215-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5100-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads