324d28100c466cbc69bbeed9bb04f2afc6dd797e348383af57ec4119eb1b58d9

Analysis

max time kernel
139s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 20:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

324d28100c466cbc69bbeed9bb04f2afc6dd797e348383af57ec4119eb1b58d9.exe
Size

128KB
MD5

5e258d76caa89faf88d0d32c1e0e325b
SHA1

db289ff83347c73ac5d9a067fa90f8618b45abbf
SHA256

324d28100c466cbc69bbeed9bb04f2afc6dd797e348383af57ec4119eb1b58d9
SHA512

6292ae57b8964521ae4d9c4dc378488dddc8757e290b59eee4e7f9847b7f826ba281797f477cbb3b7c9210a82d591236eb00030d43b01af488cdec0596f8d06b
SSDEEP

3072:fJK9w4PW91UZa80Y7kDOUmNRo5PeA+7DxSvITW/cbFGS9n:fgw8W40lqkDOUgo5mAKhCw9n

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jiphkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	324d28100c466cbc69bbeed9bb04f2afc6dd797e348383af57ec4119eb1b58d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hboagf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kinemkko.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fifdgblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbnhphbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ejgdpg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikopmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iffmccbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdemhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecmlcmhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnnaikp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjqeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icljbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjhfnccl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmnaakne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbocea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaqcbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Elagacbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gjlfbd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbioei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imihfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efgodj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmoibog.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejegjh32.exe

Executes dropped EXE 64 IoCs

pid	Process
3892	Efgodj32.exe
676	Elagacbk.exe
4900	Epmcab32.exe
544	Eckonn32.exe
1032	Efikji32.exe
3764	Ejegjh32.exe
3760	Ecmlcmhe.exe
4924	Ejgdpg32.exe
2220	Eleplc32.exe
4060	Ecphimfb.exe
4608	Ejjqeg32.exe
364	Eqciba32.exe
2344	Ebeejijj.exe
1520	Ejlmkgkl.exe
1540	Ehonfc32.exe
4848	Eoifcnid.exe
4944	Ecdbdl32.exe
3260	Fhajlc32.exe
3552	Fokbim32.exe
4272	Fbioei32.exe
1112	Ficgacna.exe
2020	Fcikolnh.exe
4612	Ffggkgmk.exe
540	Fifdgblo.exe
448	Fbnhphbp.exe
2368	Fihqmb32.exe
4904	Fobiilai.exe
3876	Fbqefhpm.exe
1968	Fmficqpc.exe
408	Gcpapkgp.exe
4476	Gbcakg32.exe
3020	Gmhfhp32.exe
4232	Gogbdl32.exe
4668	Gbenqg32.exe
4916	Gjlfbd32.exe
3808	Gqfooodg.exe
1060	Gbgkfg32.exe
2736	Gjocgdkg.exe
3208	Gmmocpjk.exe
2680	Gpklpkio.exe
4876	Gbjhlfhb.exe
3396	Gjapmdid.exe
1852	Gidphq32.exe
4828	Gqkhjn32.exe
2260	Gbldaffp.exe
1736	Gjclbc32.exe
4484	Gameonno.exe
2624	Hboagf32.exe
1612	Hjfihc32.exe
3716	Hapaemll.exe
1740	Hcnnaikp.exe
1368	Hjhfnccl.exe
4068	Hmfbjnbp.exe
2008	Hpenfjad.exe
1840	Hbckbepg.exe
4280	Hfofbd32.exe
4072	Hmioonpn.exe
2564	Hpgkkioa.exe
1016	Hjmoibog.exe
4432	Haggelfd.exe
4140	Hbhdmd32.exe
2396	Hmmhjm32.exe
3508	Haidklda.exe
876	Icgqggce.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jbmfoa32.exe	Jdjfcecp.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Fbqefhpm.exe	Fobiilai.exe
File created	C:\Windows\SysWOW64\Egmhjb32.dll	Hapaemll.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Fifdgblo.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Mkeebhjc.dll	Kaemnhla.exe
File created	C:\Windows\SysWOW64\Jpaghf32.exe	Jangmibi.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Ilaidmmo.dll	Gogbdl32.exe
File created	C:\Windows\SysWOW64\Jpgdbg32.exe	Imihfl32.exe
File created	C:\Windows\SysWOW64\Jmkdlkph.exe	Jiphkm32.exe
File created	C:\Windows\SysWOW64\Olmeac32.dll	Jdhine32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Hfdcbdnc.dll	Ecmlcmhe.exe
File opened for modification	C:\Windows\SysWOW64\Gjlfbd32.exe	Gbenqg32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Agbpag32.dll	Ficgacna.exe
File created	C:\Windows\SysWOW64\Bbamkcqa.dll	Hjfihc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	Kaqcbi32.exe
File opened for modification	C:\Windows\SysWOW64\Kaemnhla.exe	Kinemkko.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Jdkind32.dll	Jbfpobpb.exe
File created	C:\Windows\SysWOW64\Jdjfcecp.exe	Jpojcf32.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	Hbhdmd32.exe
File opened for modification	C:\Windows\SysWOW64\Gbcakg32.exe	Gcpapkgp.exe
File opened for modification	C:\Windows\SysWOW64\Gogbdl32.exe	Gmhfhp32.exe
File created	C:\Windows\SysWOW64\Inomojol.dll	Eqciba32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Ifhiib32.exe	Iakaql32.exe
File created	C:\Windows\SysWOW64\Mnnkcb32.dll	Imihfl32.exe
File opened for modification	C:\Windows\SysWOW64\Jangmibi.exe	Jmbklj32.exe
File created	C:\Windows\SysWOW64\Cniohj32.dll	Eckonn32.exe
File created	C:\Windows\SysWOW64\Gmggiogn.dll	Ejjqeg32.exe
File created	C:\Windows\SysWOW64\Hjfihc32.exe	Hboagf32.exe
File opened for modification	C:\Windows\SysWOW64\Iikopmkd.exe	Ifmcdblq.exe
File created	C:\Windows\SysWOW64\Gmlgol32.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Ficgacna.exe	Fbioei32.exe
File created	C:\Windows\SysWOW64\Fbqefhpm.exe	Fobiilai.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ejlmkgkl.exe	Ebeejijj.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Eoifcnid.exe	Ehonfc32.exe
File opened for modification	C:\Windows\SysWOW64\Fokbim32.exe	Fhajlc32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6452	6288	WerFault.exe	262

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofjdo32.dll"	Ecdbdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbqefhpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenhgdd.dll"	Gcpapkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahbi32.dll"	Fhajlc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hfofbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gqkhjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijiaonm.dll"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnodhch.dll"	Iidipnal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbfpobpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfnojog.dll"	Jibeql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiphogop.dll"	Iabgaklg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Elagacbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Epmcab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Icljbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmficqpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gcpapkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbpag32.dll"	Ficgacna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kknafn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifjfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ijdeiaio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gqfooodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gbjhlfhb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ifhiib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpjljp32.dll"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gjclbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jaljgidl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	Kaqcbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eckonn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 3892	4872	324d28100c466cbc69bbeed9bb04f2afc6dd797e348383af57ec4119eb1b58d9.exe	83
PID 4872 wrote to memory of 3892	4872	324d28100c466cbc69bbeed9bb04f2afc6dd797e348383af57ec4119eb1b58d9.exe	83
PID 4872 wrote to memory of 3892	4872	324d28100c466cbc69bbeed9bb04f2afc6dd797e348383af57ec4119eb1b58d9.exe	83
PID 3892 wrote to memory of 676	3892	Efgodj32.exe	84
PID 3892 wrote to memory of 676	3892	Efgodj32.exe	84
PID 3892 wrote to memory of 676	3892	Efgodj32.exe	84
PID 676 wrote to memory of 4900	676	Elagacbk.exe	85
PID 676 wrote to memory of 4900	676	Elagacbk.exe	85
PID 676 wrote to memory of 4900	676	Elagacbk.exe	85
PID 4900 wrote to memory of 544	4900	Epmcab32.exe	86
PID 4900 wrote to memory of 544	4900	Epmcab32.exe	86
PID 4900 wrote to memory of 544	4900	Epmcab32.exe	86
PID 544 wrote to memory of 1032	544	Eckonn32.exe	87
PID 544 wrote to memory of 1032	544	Eckonn32.exe	87
PID 544 wrote to memory of 1032	544	Eckonn32.exe	87
PID 1032 wrote to memory of 3764	1032	Efikji32.exe	88
PID 1032 wrote to memory of 3764	1032	Efikji32.exe	88
PID 1032 wrote to memory of 3764	1032	Efikji32.exe	88
PID 3764 wrote to memory of 3760	3764	Ejegjh32.exe	89
PID 3764 wrote to memory of 3760	3764	Ejegjh32.exe	89
PID 3764 wrote to memory of 3760	3764	Ejegjh32.exe	89
PID 3760 wrote to memory of 4924	3760	Ecmlcmhe.exe	90
PID 3760 wrote to memory of 4924	3760	Ecmlcmhe.exe	90
PID 3760 wrote to memory of 4924	3760	Ecmlcmhe.exe	90
PID 4924 wrote to memory of 2220	4924	Ejgdpg32.exe	91
PID 4924 wrote to memory of 2220	4924	Ejgdpg32.exe	91
PID 4924 wrote to memory of 2220	4924	Ejgdpg32.exe	91
PID 2220 wrote to memory of 4060	2220	Eleplc32.exe	92
PID 2220 wrote to memory of 4060	2220	Eleplc32.exe	92
PID 2220 wrote to memory of 4060	2220	Eleplc32.exe	92
PID 4060 wrote to memory of 4608	4060	Ecphimfb.exe	93
PID 4060 wrote to memory of 4608	4060	Ecphimfb.exe	93
PID 4060 wrote to memory of 4608	4060	Ecphimfb.exe	93
PID 4608 wrote to memory of 364	4608	Ejjqeg32.exe	94
PID 4608 wrote to memory of 364	4608	Ejjqeg32.exe	94
PID 4608 wrote to memory of 364	4608	Ejjqeg32.exe	94
PID 364 wrote to memory of 2344	364	Eqciba32.exe	95
PID 364 wrote to memory of 2344	364	Eqciba32.exe	95
PID 364 wrote to memory of 2344	364	Eqciba32.exe	95
PID 2344 wrote to memory of 1520	2344	Ebeejijj.exe	96
PID 2344 wrote to memory of 1520	2344	Ebeejijj.exe	96
PID 2344 wrote to memory of 1520	2344	Ebeejijj.exe	96
PID 1520 wrote to memory of 1540	1520	Ejlmkgkl.exe	97
PID 1520 wrote to memory of 1540	1520	Ejlmkgkl.exe	97
PID 1520 wrote to memory of 1540	1520	Ejlmkgkl.exe	97
PID 1540 wrote to memory of 4848	1540	Ehonfc32.exe	98
PID 1540 wrote to memory of 4848	1540	Ehonfc32.exe	98
PID 1540 wrote to memory of 4848	1540	Ehonfc32.exe	98
PID 4848 wrote to memory of 4944	4848	Eoifcnid.exe	99
PID 4848 wrote to memory of 4944	4848	Eoifcnid.exe	99
PID 4848 wrote to memory of 4944	4848	Eoifcnid.exe	99
PID 4944 wrote to memory of 3260	4944	Ecdbdl32.exe	100
PID 4944 wrote to memory of 3260	4944	Ecdbdl32.exe	100
PID 4944 wrote to memory of 3260	4944	Ecdbdl32.exe	100
PID 3260 wrote to memory of 3552	3260	Fhajlc32.exe	101
PID 3260 wrote to memory of 3552	3260	Fhajlc32.exe	101
PID 3260 wrote to memory of 3552	3260	Fhajlc32.exe	101
PID 3552 wrote to memory of 4272	3552	Fokbim32.exe	103
PID 3552 wrote to memory of 4272	3552	Fokbim32.exe	103
PID 3552 wrote to memory of 4272	3552	Fokbim32.exe	103
PID 4272 wrote to memory of 1112	4272	Fbioei32.exe	104
PID 4272 wrote to memory of 1112	4272	Fbioei32.exe	104
PID 4272 wrote to memory of 1112	4272	Fbioei32.exe	104
PID 1112 wrote to memory of 2020	1112	Ficgacna.exe	105

C:\Users\Admin\AppData\Local\Temp\324d28100c466cbc69bbeed9bb04f2afc6dd797e348383af57ec4119eb1b58d9.exe
"C:\Users\Admin\AppData\Local\Temp\324d28100c466cbc69bbeed9bb04f2afc6dd797e348383af57ec4119eb1b58d9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\SysWOW64\Efgodj32.exe
  C:\Windows\system32\Efgodj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\SysWOW64\Elagacbk.exe
    C:\Windows\system32\Elagacbk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\SysWOW64\Epmcab32.exe
      C:\Windows\system32\Epmcab32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:544
      - C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Ejegjh32.exe
        
        C:\Windows\system32\Ejegjh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\SysWOW64\Ecmlcmhe.exe
        
        C:\Windows\system32\Ecmlcmhe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\SysWOW64\Ejgdpg32.exe
        
        C:\Windows\system32\Ejgdpg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Eleplc32.exe
        
        C:\Windows\system32\Eleplc32.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Ecphimfb.exe
        
        C:\Windows\system32\Ecphimfb.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\Eqciba32.exe
        
        C:\Windows\system32\Eqciba32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Ebeejijj.exe
        
        C:\Windows\system32\Ebeejijj.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Ejlmkgkl.exe
        
        C:\Windows\system32\Ejlmkgkl.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Ecdbdl32.exe
        
        C:\Windows\system32\Ecdbdl32.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Fokbim32.exe
        
        C:\Windows\system32\Fokbim32.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Fbioei32.exe
        
        C:\Windows\system32\Fbioei32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Ficgacna.exe
        
        C:\Windows\system32\Ficgacna.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Fcikolnh.exe
        
        C:\Windows\system32\Fcikolnh.exe
        23⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\Fifdgblo.exe
        
        C:\Windows\system32\Fifdgblo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\Fihqmb32.exe
        
        C:\Windows\system32\Fihqmb32.exe
        27⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4904
        
        C:\Windows\SysWOW64\Fbqefhpm.exe
        
        C:\Windows\system32\Fbqefhpm.exe
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Fmficqpc.exe
        
        C:\Windows\system32\Fmficqpc.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Gcpapkgp.exe
        
        C:\Windows\system32\Gcpapkgp.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        32⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Windows\SysWOW64\Gmhfhp32.exe
        
        C:\Windows\system32\Gmhfhp32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3020
        
        C:\Windows\SysWOW64\Gogbdl32.exe
        
        C:\Windows\system32\Gogbdl32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\Gbenqg32.exe
        
        C:\Windows\system32\Gbenqg32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\Gqfooodg.exe
        
        C:\Windows\system32\Gqfooodg.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\Gbgkfg32.exe
        
        C:\Windows\system32\Gbgkfg32.exe
        38⤵
        Executes dropped EXE
        
        PID:1060
        
        C:\Windows\SysWOW64\Gjocgdkg.exe
        
        C:\Windows\system32\Gjocgdkg.exe
        39⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        40⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Windows\SysWOW64\Gpklpkio.exe
        
        C:\Windows\system32\Gpklpkio.exe
        41⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Gbjhlfhb.exe
        
        C:\Windows\system32\Gbjhlfhb.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        43⤵
        Executes dropped EXE
        
        PID:3396
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        44⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\Gqkhjn32.exe
        
        C:\Windows\system32\Gqkhjn32.exe
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Gbldaffp.exe
        
        C:\Windows\system32\Gbldaffp.exe
        46⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\Gjclbc32.exe
        
        C:\Windows\system32\Gjclbc32.exe
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        48⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\Hjfihc32.exe
        
        C:\Windows\system32\Hjfihc32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1612
        
        C:\Windows\SysWOW64\Hapaemll.exe
        
        C:\Windows\system32\Hapaemll.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\SysWOW64\Hjhfnccl.exe
        
        C:\Windows\system32\Hjhfnccl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SysWOW64\Hmfbjnbp.exe
        
        C:\Windows\system32\Hmfbjnbp.exe
        54⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        55⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        56⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\Hfofbd32.exe
        
        C:\Windows\system32\Hfofbd32.exe
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Hmioonpn.exe
        
        C:\Windows\system32\Hmioonpn.exe
        58⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Windows\SysWOW64\Hpgkkioa.exe
        
        C:\Windows\system32\Hpgkkioa.exe
        59⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\Hjmoibog.exe
        
        C:\Windows\system32\Hjmoibog.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1016
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        61⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Windows\SysWOW64\Hbhdmd32.exe
        
        C:\Windows\system32\Hbhdmd32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\Hmmhjm32.exe
        
        C:\Windows\system32\Hmmhjm32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        64⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        65⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\Iffmccbi.exe
        
        C:\Windows\system32\Iffmccbi.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4504
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Iakaql32.exe
        
        C:\Windows\system32\Iakaql32.exe
        68⤵
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        69⤵
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:4616
        
        C:\Windows\SysWOW64\Icljbg32.exe
        
        C:\Windows\system32\Icljbg32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4768
        
        C:\Windows\SysWOW64\Ifjfnb32.exe
        
        C:\Windows\system32\Ifjfnb32.exe
        73⤵
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        74⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        75⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\Ibagcc32.exe
        
        C:\Windows\system32\Ibagcc32.exe
        76⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:920
        
        C:\Windows\SysWOW64\Iabgaklg.exe
        
        C:\Windows\system32\Iabgaklg.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        80⤵
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Ifopiajn.exe
        
        C:\Windows\system32\Ifopiajn.exe
        81⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\Imihfl32.exe
        
        C:\Windows\system32\Imihfl32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\Jpgdbg32.exe
        
        C:\Windows\system32\Jpgdbg32.exe
        83⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Jiphkm32.exe
        
        C:\Windows\system32\Jiphkm32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Jmkdlkph.exe
        
        C:\Windows\system32\Jmkdlkph.exe
        86⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\Jdemhe32.exe
        
        C:\Windows\system32\Jdemhe32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2028
        
        C:\Windows\SysWOW64\Jibeql32.exe
        
        C:\Windows\system32\Jibeql32.exe
        88⤵
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Jmnaakne.exe
        
        C:\Windows\system32\Jmnaakne.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2628
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        90⤵
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\Jfffjqdf.exe
        
        C:\Windows\system32\Jfffjqdf.exe
        91⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        92⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        93⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Jpojcf32.exe
        
        C:\Windows\system32\Jpojcf32.exe
        94⤵
        Drops file in System32 directory
        
        PID:5172
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        95⤵
        Drops file in System32 directory
        
        PID:5216
        
        C:\Windows\SysWOW64\Jbmfoa32.exe
        
        C:\Windows\system32\Jbmfoa32.exe
        96⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        97⤵
        Modifies registry class
        
        PID:5304
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5344
        
        C:\Windows\SysWOW64\Jangmibi.exe
        
        C:\Windows\system32\Jangmibi.exe
        99⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5432
        
        C:\Windows\SysWOW64\Jbocea32.exe
        
        C:\Windows\system32\Jbocea32.exe
        101⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5480
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5528
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        103⤵
        Modifies registry class
        
        PID:5572
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5604
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        105⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Kpepcedo.exe
        
        C:\Windows\system32\Kpepcedo.exe
        107⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        108⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        110⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5880
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        112⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        113⤵
        Modifies registry class
        
        PID:6008
        
        C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        114⤵
        Modifies registry class
        
        PID:6048
        
        C:\Windows\SysWOW64\Kpjjod32.exe
        
        C:\Windows\system32\Kpjjod32.exe
        115⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        116⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Kgdbkohf.exe
        
        C:\Windows\system32\Kgdbkohf.exe
        117⤵
        Modifies registry class
        
        PID:5148
        
        C:\Windows\SysWOW64\Kibnhjgj.exe
        
        C:\Windows\system32\Kibnhjgj.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\Kajfig32.exe
        
        C:\Windows\system32\Kajfig32.exe
        119⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5284
        
        C:\Windows\SysWOW64\Kpmfddnf.exe
        
        C:\Windows\system32\Kpmfddnf.exe
        120⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5340
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5424
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        122⤵
        Modifies registry class
        
        PID:5504
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        124⤵
        Modifies registry class
        
        PID:5652
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        126⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        127⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        129⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6076
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        131⤵
        Drops file in System32 directory
        
        PID:5128
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        132⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        133⤵
        Modifies registry class
        
        PID:5392
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        134⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        135⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        136⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        137⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        138⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        139⤵
        Drops file in System32 directory
        
        PID:6044
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        140⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        141⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        142⤵
        Drops file in System32 directory
        
        PID:5648
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5864
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        144⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        145⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5412
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        146⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        147⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5588
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        149⤵
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        150⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5908
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        151⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        152⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6164
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        153⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6204
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        154⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6248
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        155⤵
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        156⤵
        Modifies registry class
        
        PID:6340
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6376
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        158⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        159⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        160⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6520
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        161⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6560
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        162⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        163⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        164⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6736
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6788
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        166⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6828
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        167⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6912
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6980
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        169⤵
        Modifies registry class
        
        PID:7044
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        170⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7084
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        171⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7124
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        172⤵
        Modifies registry class
        
        PID:6156
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        173⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6212
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        174⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6288 -s 420
        175⤵
        Program crash
        
        PID:6452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6288 -ip 6288
1⤵
PID:6400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cniohj32.dll

Filesize
7KB

MD5
2d4f1caf6e71dec7571b6e55210c6525

SHA1
30af2db50d15f53ee56bda3093c2ef233b585f4b

SHA256
ef4a98d4d9622db29a01c28ba3f06fcd1f789a70ba0bc902146f18b3f8c262da

SHA512
0bb6c2fb4e63984a407aa806bf266a38c88021ddf38f37b01d908eead11e9949b982e42024990e38218b3b30c8971a92049ad43d49942bfb47fc7d7479b34de7

Download Submit
C:\Windows\SysWOW64\Ebeejijj.exe

Filesize
128KB

MD5
8fe7efcaa87bfe8d5e43b7db84fabcb9

SHA1
55a3036d898ea6e00f65716c1861e6bf195c8918

SHA256
c677b73b38fed30bf9616d2596f689b6e2b8bc0a9546f8ed0442c679947ce9f6

SHA512
fb1098dba3c757eeaf5cdea68935b7704051cf3d22aaaf7256cf1c7cd64f12410a2b18147a0e34471895772a34b1cb4e31f997de42b168836ee75b88936d7715

Download Submit
C:\Windows\SysWOW64\Ecdbdl32.exe

Filesize
128KB

MD5
a9fc1bfc9384b632d1977a2ffb616764

SHA1
6085d5955cfc787dd4b5c1f489fb8c69b8368c6d

SHA256
d24f6d03772c168936b7414b812723e8873ee073d9b3ff41ecf0f9c7b6ae2507

SHA512
5a403a5d17c4c42fcf191200a4de46742b8cc7f60c57747490833967505f44ccc56786a4140b861599018fa9db5cc04bc913bb5fa409015405cb7726cc3887d6

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
128KB

MD5
6093f736413fd373365f9ce99c8e20e0

SHA1
9b0ba8da8e34b8bc3e10dfa8a040d7864c570c70

SHA256
8fbfd10e9ecbe4c5b718e0e9711fb6d6e930b5b506b497f51bda2dcc03a25f25

SHA512
0c39d6e7f5c835f26d674d53693073092ddc661aa262a31cb59d3ebeda1d7a60625232d539d7571b3c05849ac681096dc4519d5547681f52ab1bdd1bb26a10c5

Download Submit
C:\Windows\SysWOW64\Ecmlcmhe.exe

Filesize
128KB

MD5
fe534a201c248d24f0189028fee7dd11

SHA1
ea8c9c9fe8f08ab3fd7ed054c4eb18fcb391c27a

SHA256
c8c85d8293bb3f92f991239bae6bfae3d35707c7a5f2061e101436f4a04008be

SHA512
9b3cecbdc403d1269bb8884edd37e1f0cb4985c15ce5b590392727523bb321abfa464d35991d56d630625fe1e7b25f7dac731d04f90d0cf38cce38dcc360ea8a

Download Submit
C:\Windows\SysWOW64\Ecphimfb.exe

Filesize
128KB

MD5
b464de48569a5a17fd537822e70c9784

SHA1
0976e89c975a88c94502794f6e4c9133f7c8df52

SHA256
b78897f57d4dfb5aa0178f09ed5f13f4dc46a1a8c26e177b2228aa6f19cf7501

SHA512
e36eb10ecee3161402efd3f0e1003cd368b8c0975dfc407f33d000a6816ee857ed24fe8233f6e4b47a428790bff8a28918e9e8d9edce5d970cae3f9e06d285d2

Download Submit
C:\Windows\SysWOW64\Efgodj32.exe

Filesize
128KB

MD5
94f9588f5350adb74fde2ec3a1068787

SHA1
1c8db42361d9e25a92d15d07363e662a35ee45cf

SHA256
8ff6bf64113b8e1a6a8b505f229b3d354a647268de55d57b31998d03a34081c0

SHA512
9c03bea7e223b835ef1ee3734becfe774f9f9278be39f718684cca3f9f1893efded3960548b750579f51dd52f4e864031950d8340b6a3c49ca070f0ba0e590a9

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
128KB

MD5
70cdb04939426072d56e3cc4fbd450ba

SHA1
b87e2a7278713e2428bf26a11dd765c5f3e3f010

SHA256
813301710e59d58115d8d09f27e8cc08fad389a93fca576889b5703de3dacdb9

SHA512
4ad43649364747658478be962e7f1b3af8db9bef87ba6cb3a9f8fd7857082255eb9260cafc32aeb3c726a457559d7ac473d5beb28962e5d3e3a780616e1f6036

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
128KB

MD5
4f0482c4864233038cb7a44a17350325

SHA1
1ee0b22aa5947b8e0a046abecf77f463bc145a96

SHA256
83242b20ead7b29da6a90e453cbe20eb66e702df3bd624ab9569bdf592d24b00

SHA512
6edf0d4c048ba4f116c4ae4c2294c3ff9391819c81da7045f2c371e5b479a142fee738fcf1de7d13310332ba6f8396537df6c6f4fe6436b6ffcbae44a14f4236

Download Submit
C:\Windows\SysWOW64\Ejegjh32.exe

Filesize
128KB

MD5
1a5e5b5239b1a0cde445b91d043bfac7

SHA1
b135a22fef58a4065f980856752d1e26094f5edd

SHA256
ced9af53f173a162b1949e1a5e11e2bf00704b8b424afa2d0a480d21f5d90d5a

SHA512
8136a2d794a660c8b9eb616b68a1f3321e36d3b5ab2844c200c8091b973b27432f50bc861401d5b456fc0420f77021698a0795d115881fa48d931d5dfc962d0b

Download Submit
C:\Windows\SysWOW64\Ejgdpg32.exe

Filesize
128KB

MD5
9d332bb7389c771ffe7e7bccbd26851f

SHA1
c9cb45a5512f2d9ac4b1060ccc0a5023c88bf9a8

SHA256
74f80bf2bc2a1e23ebb71192f19c134b654221138a4a8ddab4866b8d346a1866

SHA512
494827d3030ffec3e7d7c5f39e6cece2d7ed49d8fc60b69f939cbac4cca18c663f5dc64723c0d04a0f159d8041844a3b0bfd6569caee44150068b8e568535880

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
128KB

MD5
25755ffb171d918759152fc6cff50b2c

SHA1
c64b3a98396f816a933a6eb90aca27decaea5503

SHA256
26ab138be96412b04d703441b120465c4d494483d06a9a60ecb023fbe1e0668a

SHA512
0c1a717db3bb0be27100ce5c3f407b3e4e4edf0bbaca194c47014bf5c92b84ebe61f8556f2a8f75c597ea3d0203f96568add20b22b996d1275ecd858c23c9305

Download Submit
C:\Windows\SysWOW64\Ejlmkgkl.exe

Filesize
128KB

MD5
c577bcb6e5c8ef991c5d00d0bd3a58ed

SHA1
83cf57fd1ec1822a06e3fc06d1dacc31059f10f6

SHA256
600091c53a0c51932eb380a79348f6a59c5ea56739073bd3ce5f4f13a2901ded

SHA512
cd4bfbc01cc3a4c1227c1ce18bf5987ca9fa9f60ed038901dd1e8cd0d818ad64cceb278822ae11604dd1777262d873f90e60a065257228c4d25c60d5a8b873d9

Download Submit
C:\Windows\SysWOW64\Elagacbk.exe

Filesize
128KB

MD5
7c7d4abacf55cd18d515a03a425522dc

SHA1
88bd81633e6bf542f693f2c5d582e6429532d747

SHA256
9e73a968cbcea381f727fcfcf9dc141d5e8fc52f315904ee29bacf04d760b1e9

SHA512
c6f34d349519f03ca6d2b582e852d9493af8cd90a943cca888513bda3f5d811f2b8e001677b0a807bc74f9e3b656e1ce915307bf4349530aa3a59e9a47e19732

Download Submit
C:\Windows\SysWOW64\Eleplc32.exe

Filesize
128KB

MD5
8364d8efb9f33a32d84fbf523b093195

SHA1
16cc2035f77bf8513b6b5d74e14ffb920ceac21e

SHA256
d523e4b8ab92b2602648cfd7a5d06a3439e5f7ec0e7b5cbfdff0e9bb1498f18c

SHA512
16711cd8e72dc47ad37d6c868780a4cdf053b2bcf7e4629381a012e6c3da84e30427cff8277420bd574ae3ba34b0f77ffc850b59b5e3c0330b2dd1aca15eec6e

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
128KB

MD5
59b7d9bae755f014b46463104054b87c

SHA1
a3473810ae270e015293ba943a0a93298079cd1c

SHA256
b29b3075e66a32811e70835983922e0e1a7828e1fda672ab487ad472e94e3e7e

SHA512
1989817d05e01e137cef616dcbaec0caeffc321ecceab833d445dc73af21edb1c197f0f27708f9a5bc6b9877b4e32c860f66d4f8e3bcbd46eb3ef5ca5085b12a

Download Submit
C:\Windows\SysWOW64\Epmcab32.exe

Filesize
128KB

MD5
470d71819d947bd50a96cd3e7de63be0

SHA1
abbc0a44598a00f929a9cc3ff29464179843012f

SHA256
8a117e20719499c4754b5a4820a569765484c47fd725345fdaaeace2040b1648

SHA512
05e38e3ff512f4a1da5e267206ad890be6337974c0c4f80710bca0f247ce86a21e65938263b22ea787491959164894a31453325bd4d662772691319b0b2ef778

Download Submit
C:\Windows\SysWOW64\Eqciba32.exe

Filesize
128KB

MD5
09931a147c82606687dc2ac8f0117813

SHA1
bd02c85817c24d1a20bd880bcd40ec9537d743cd

SHA256
300c01dbf13801f21d60b36007e8dfa115892036099fabea79e2a1f09d4eb7b7

SHA512
13b35a030234fcc2e2349531d8f7bfa05cb4e8415467e465d82576280086909b316c3e7db0002309458e7261baa5eb30e74799245b3a270e26f4bcb65297a57c

Download Submit
C:\Windows\SysWOW64\Fbioei32.exe

Filesize
128KB

MD5
d012275da6095cf2630ab39ca9fe7e19

SHA1
68304e1543ae1731a56f7df4482835bedec557db

SHA256
7ddf5f0f688f96efa6963623ef2e1bde1b0ce6f06c0ebf06b72ccb92be478def

SHA512
7cdc6041e911f19fa3ecc8d046f1fe02eaa504dac1acf95608dfab5206b044e7fa968c839df5db2867d86b1234ac39aa493e47f57a3250fe6c5dd5cdf2a9c16d

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
128KB

MD5
4e4c132f07b1792026d7cf36288de769

SHA1
9f8aef9e5de168f449940188d844c48d9a5878dd

SHA256
1bd067c26301abf9c90a70283874280f02b76fb939baa8b3761fecb317cb807f

SHA512
6b4f495379d11169ab446348c525efc40f3c0fef5f454a45c2533cecef5f62a6ba9afcbc1f1bdddb66c393951cab6c56fb2d7cdd43bdad7ae5c713a7694eb9d3

Download Submit
C:\Windows\SysWOW64\Fbqefhpm.exe

Filesize
128KB

MD5
4ff40423525e89e89cdff9071c8c2197

SHA1
3665d4e04cd3b64f3907d7e575bd3d862e90e302

SHA256
97614dcc9fd45c7f6d7e58f334679c431aad89a8109cbb446373cca993bb215c

SHA512
045143c7439e50d0753bcad4f26bbc321a66c28b1d5e3286794fafc269a0d8c703256451725e803d87d284f9c6e59937e8476c772ef284e6b6cb27ff1f87b445

Download Submit
C:\Windows\SysWOW64\Fcikolnh.exe

Filesize
128KB

MD5
98ebfae54351987569ee307316023a2c

SHA1
d65065e6926d7405e7684c703e2b70cf0d661756

SHA256
488ce5d895cbed6d398bdaf1acccfbff2f9877523dedcd6d9e48c248ccab7a7a

SHA512
d379721bb08ffc23464a6c212fdab125cbb7bb94f9d0b180284e8cae95534d80d6628c72ec0aac00c3de043595ca029cda46c9b73319c8f40d63ceba1f8612a4

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
128KB

MD5
1d0ea75f0baa73eb642ce09eff53116b

SHA1
013b8d721e7c16d920e3d4c23db5d63f5cc2b287

SHA256
edbc58cfc6b72c41af0b6ed6a89c4fc1a97c5fb9f4b939f79ba93455c3e2c568

SHA512
099ac593b6d8753d7b29424691ebfd108cec856902e6da4bfe2632731d213b2b800f9f70788475c6b583241125db501d46b6e62d91e1e71f89d865495028f32a

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
128KB

MD5
74f21e87cf6a234716c4d6e7c31c0c6f

SHA1
f7d587812cd16e57427ef1a95041e2898bfa3c68

SHA256
927da6478dbda8178e7df3b174e1bfdde4e11a10d46f16ca42caa318bd22563b

SHA512
fc2a6923945cc3e1e41c7442adb6eecd3dead023ff99270e870d7cac090a10646a004c4bdc75ed7fc72081b66f0b4a5a468ab58e6206b203d5135ad6db09f1f9

Download Submit
C:\Windows\SysWOW64\Ficgacna.exe

Filesize
128KB

MD5
151aa331a0d74386eb76ac64b646172f

SHA1
c53f88bc66f90320d413f7cda4d358a20d2507d5

SHA256
dbb05af6992bf72e2ba1370181af20fc2644c5c8bea8a24662ba92972e9c1639

SHA512
66e62abdb9d7bca02f24711daee4c9e281ebd19a7de28a592009ed8f983329fd93744799a9b5d9a1fe0308ddd5bbbdc9d607cad18cc3a893fe2a0083cee7d8b7

Download Submit
C:\Windows\SysWOW64\Fifdgblo.exe

Filesize
128KB

MD5
aa9d81d4d1d51e4e1687c8edac15e8cb

SHA1
cd55fbd89b4500f7fb165b0462aaabf1ecd2877d

SHA256
1b46921e84da6b02e684ec4d952628cefe1e7165fae4b9b33895da434390a95b

SHA512
54ce10583faee5ec9006b9b8234a22691dd1b16ba41c44ad7840a944792e604b135f6bd82b35cf881608dc6575cb6da2082bfe98fe7e9f884eac038e5491f410

Download Submit
C:\Windows\SysWOW64\Fihqmb32.exe

Filesize
128KB

MD5
109c5dbfcbc07f0a8fce3d1bea36e097

SHA1
41d9fef7869b28a63c97ef0f5902345a1c1f82fe

SHA256
067ddba114b27e5531d47729c2eed367a49838aba4d219665185073203f64560

SHA512
084893f3d0b26570c43c4996ff775d8c9f1d876798381c6619b353e91383b0043bd1cfc517a0e87a49940d12e22db607c06792f522c1468d08bc314a5a31d056

Download Submit
C:\Windows\SysWOW64\Fmficqpc.exe

Filesize
128KB

MD5
910dec473e3902b9f0fba5cb8f90371f

SHA1
62b77a60f15003fd34b70045573638f16c25199c

SHA256
6b6e7725f0daba7595785174de8651274ae6d0f964c0c74b9ce911961e35e25b

SHA512
469190b5a02e81e89b49221c7a3f2f6fabeb6b364cb4820e46e1300a401d1d56f0631a868943897c8ff063b4efe06d40d53da71a91b056bbb4f525e221a3e13d

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
128KB

MD5
b7030cccea382ead3fd43163d62fdc3f

SHA1
b44b81e740586ce7c1881df38322eef754990b69

SHA256
e1a829c39a1f4b351fe6f769036b44f52619d6b5e06dbbecd3a5963bc06b0cb6

SHA512
b2dbfbb4832589beea0ea1996dd3ecab81017a1af546318bf03ae7c6a266d1f381a6dc8343e54c0d09fa0c5016de52959eeecdf80d14a206cb75fd6efd20ba47

Download Submit
C:\Windows\SysWOW64\Fokbim32.exe

Filesize
128KB

MD5
12a8e3eea03724bd18939377819041eb

SHA1
3b346ed772da4f353f9959b635041d1b2f38100b

SHA256
47d76d307a3d64da18f8e10cd2fa2ef716e72217c89766791147fa2642df8180

SHA512
33beeb22c418c676a37fad699d59274d5c667b2fbd1bbc8bf4521d47a9e896f05ba1cbc12bde6855a098f374d1145d4c6d8f2788ddd6cbac4e5626f2e69101f6

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
128KB

MD5
8288b75e7af0e145c05a2c4f4ce77425

SHA1
459cfd6af5156b263df5e9f46b30ba30446e623e

SHA256
69f2fe233d320c2b6acdaabaa0340e7758b16d64ccd8bc52edcbfe7ee2d5b900

SHA512
38c090ba8c415673cb725bc4551615c417ffc3995d41fece52454af0210e5ae4eb7770b004a3bb900404e334408df370bed76fc6629cbbfc62b05a46755c620c

Download Submit
C:\Windows\SysWOW64\Gbgkfg32.exe

Filesize
128KB

MD5
316a47c24cdda12d42f97624f65041c7

SHA1
0ce61dcefc2b950cc79f759eed99cc62dfdc7364

SHA256
7bc87b05dc31c4ac1fb1d94473d0b318397be5d0611c080593a7e0e2c0853e9a

SHA512
7b13028d43667222d8a66b2c82134f00e379ad4d807e23d5620e7d09652aaa68d24ab9a3fb5792838950b8268bd67fb39f8b04df44ae6a1c4bf3dd7b30b25c16

Download Submit
C:\Windows\SysWOW64\Gcpapkgp.exe

Filesize
128KB

MD5
fc927900b9920a42f0152b20961952d9

SHA1
6c7685261fbe875be65a215e172b57e5f04a6b15

SHA256
8883ca6f1b059ccc18366b7a81ce9b50f2d704281cb39af1766101b75dca1d71

SHA512
79b2db5376b4967dafbbc8a42c703658437a6412423ec47612218f3836d885ad9ed0f9c7686d6e96a2cebc55db1c5c76314bcc5ef42e0fce4339f1b1b75e330d

Download Submit
C:\Windows\SysWOW64\Gjclbc32.exe

Filesize
128KB

MD5
7e10b2e89f66b18d1fdef954f54b88e5

SHA1
239535f279b295ed9e7871f1d41c2748820b3349

SHA256
a71efc49794e83b98a0a0f5df919d00acb8940a2ce70ccd37d244a2e33dd0179

SHA512
d4f9b931cedf2f908bb2028a988710ff4a3376a4674773c7d6c3be70588eacc6fa6c2798947c55f4f01010a154ba505d744208e7b1d519f9d6ab064a7a881b49

Download Submit
C:\Windows\SysWOW64\Gmhfhp32.exe

Filesize
128KB

MD5
c8afb570bb88589b2ba66c408627143d

SHA1
b2a3fe4605816396213599691c82840b9bac03f8

SHA256
8b320261d303093883a6bec6d33449be9d3774aa2522e248682f0e6c8c3baf87

SHA512
08791e5b8c97ec734d27a43d694172baf633d270e8a8b2d39f48a5308367a142a4b5a7aedd1e94cc31d5ece1c44b51d52a891b67916c83262c4bf7cac735a8a8

Download Submit
C:\Windows\SysWOW64\Gpklpkio.exe

Filesize
128KB

MD5
d271d59ba2338d2e6575c699cd8760a2

SHA1
14af66451a5cc806e199773eb6338624bd26acf6

SHA256
2136cf72223d9210023e0cd2cb4d18c4bb3086bcd4b0f48cb57f6643f56d7943

SHA512
b8c26bdf3d544525df245835bda654120359102f6db2b2ce80e50d0e0e85828cd0072b37015138e6d33d25c3ddf43c5e54d7e6dd432cb73d7ddd971c91166819

Download Submit
C:\Windows\SysWOW64\Hfofbd32.exe

Filesize
128KB

MD5
a6b0849a1dc876f4d8b1e61d869c8dc1

SHA1
abf1f86984cc6a08243a36bfc0767527d1769bb7

SHA256
f6f1adfd8cb96deb0cb6359ef67b81400d12fc6fd4ab902bc7590f87e7650ef3

SHA512
fd363e804f9dc87e38883297bb9f47d65d5adae5ae16a6e3a845eed1818d1bce3e9f271a02336ab5ac4c1f00fa3dde50781be50c3a4b3c38581ca73e7ee6fa0b

Download Submit
C:\Windows\SysWOW64\Iabgaklg.exe

Filesize
128KB

MD5
3cde566332600d653f18ede503a37224

SHA1
6f9ea5cf749bca6faf549c34a0dbde6ad84a03a6

SHA256
c3a8a700afa7e42fc2d2d7fe8e29dbe7a9dfc19c76121aafc24c16a71c386e94

SHA512
02f665af6696a9f3d683e12adb44f0f51cd0882d338bba7838cb8bc2af1837bb2b2a03ddb40d1da53ff89fcb0d56d97cb72e0ad3f9bba563829593d807ac1dcb

Download Submit
C:\Windows\SysWOW64\Ijdeiaio.exe

Filesize
128KB

MD5
efc8bda5404d285ba05249fe38cb8b5b

SHA1
ac04fecf686cb2e80afdb6b76e4793560dec4ac4

SHA256
01a3918c70b77f698b69921744d9f4aa4637823f3175d0b9d85bc859e229efe8

SHA512
f44e81f39bda8895eefd98183e9bb7294e0d492a3b00f4601059892dc9d92ba936cadc92563df46b2904b409932b3088b1598505ef9ab8fa9268760c15e3030a

Download Submit
C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
128KB

MD5
d48bc6fdb4c9c62968385a3a1a1e7008

SHA1
8333f4a69a907d1de32b79f6563bf54074f36684

SHA256
04c053a2fe0d2205adeb01d15ef1931aa43a93ecfe9a79b8ce758c4df3cd4876

SHA512
eac56148b73f19a46bf951c11f5b0af26bd04b812acc2777b9d9716728b724ac4f30ab2da130a2e83fabe9db3431156c6e1f16e4ed2a5fe9461016e2e4d7c178

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
128KB

MD5
f3697d41276639d494b2b48dcf84e7b4

SHA1
ba536cb67a80f493549939660b384e7685410bc7

SHA256
d64e6896f08050a08955a917d5badc33a6b15c93ecfe42b9b41f2f8a5e2b1d6b

SHA512
7875a942446c75c505c2c048cb551226943fba184766fc512f31fbbc64fff344ab1ae4ef2697d0bfc4780d7188cf9ea87e5ace43537612b6d97fd051c1ed202d

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
128KB

MD5
e2265f4afedd1263f76aae73abad0882

SHA1
fd8250f3aac24e057a90ddfcdec6db704e97dcca

SHA256
7d88ae83e4dda2fb3d6c0a251dbbc1b3ee763cf6c99cef7ef6ea7d5437ce7ebb

SHA512
0ba4d3c8196669b23409919b17120d12792d8972301efff887adf7eb70f005ec1e361bf4f8de2b918b8e7b03b4c368f6de87d5c171f98de60a67e2fd9ad4a256

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
128KB

MD5
74f9e7b6811ff06f3fb6e9bc32d4424a

SHA1
16c0d15a52811f9c11be51bb5132888b5d6239d9

SHA256
648ca4c52c827e04b33f22a42c9783a0814323387c5cb3b72813608849d0250d

SHA512
cd13a50bc20e240e415c2550ec5185175ed284a1f840239e936bd9f9afbed6fc2ef6a2a8c84f9fe2001e18c82e8538764c8d04f58dedcc0f7ca33bc51a6c2c0a

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
128KB

MD5
f7015c192503501852b5ecadb7d29b58

SHA1
d41359f6f60a247b2dc5ea0d6fbbdd7997cbc18d

SHA256
6e31e1281f0f370c02c5a2f4b46081ea4e158896b70bbc95f1df33fa05c58b84

SHA512
c8b306e6bf4d8b7f0528a6782940821f0bb104a0271f189b17e2ac914ffdb62433edfa0d5970f98f5b45d73ca6fadb008151b3b29307f34a773b8f7a54d6f53f

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
128KB

MD5
815f6193c9bbfe56701001291ae30c82

SHA1
da8d3c94f5631840b30b53628add9f2c98ce827c

SHA256
334041a948dacb4a83495c9ab66dadbdd38bd9bb22d2a5958801db0f329427ed

SHA512
51d38fa6094fb2fd6e2ee309dfc4e9eb260cab4e3695b4b3e274dca89865b4faaf52ea5b77e3a8d74222f12ae76c27b4a08615c96b9990f58d8b6b9c655ed820

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
128KB

MD5
a1c6a375f6ad2e0ef68c9dd9e998f242

SHA1
a91336b2e08c7a350fb7e33701aee78e105b59d9

SHA256
0bc11712256468860bedc2ae1652eb4a8a500e36f64c051fdbb221919efd0f9c

SHA512
9168b42a8e6126dcd36878d11ccc5bec8baac358ca4e7d02117bd0374e56abb9187cfbb2f79ee85af9242c5e6ffa9549328fca8b34f16ee217d75f9d25ba6602

Download Submit
memory/364-95-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/408-245-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/448-199-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/540-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/544-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/544-570-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/676-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/812-538-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/876-453-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/920-526-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/936-537-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1016-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1032-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1060-286-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1112-168-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1368-380-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1512-572-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1520-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1540-120-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1584-464-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1612-358-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-546-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1724-472-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1736-340-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1740-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1840-399-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1852-326-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1864-559-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1968-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2008-388-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2020-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2028-580-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2220-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2260-334-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2320-573-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2344-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2368-208-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2396-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2564-412-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2624-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2628-599-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2680-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2736-292-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3020-260-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3208-298-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3228-502-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3248-509-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3260-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3396-320-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3508-447-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3552-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3700-466-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3716-369-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3760-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3760-586-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3764-579-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3764-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3808-280-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3876-223-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3892-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3892-556-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3964-519-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4060-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4064-544-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4068-387-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4072-411-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4140-430-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4172-479-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4232-264-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4272-160-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4280-400-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4356-590-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4432-429-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4476-248-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4484-346-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4504-459-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4604-496-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4608-87-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4612-184-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4616-489-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4648-564-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4668-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4768-494-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4828-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-132-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4872-545-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4872-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4876-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4880-524-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4900-557-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4900-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4904-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4916-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4924-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4924-597-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4944-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads