ea4e2d6c1f40313ffbae6e7bfbd02ffa76a02beef3862fd0706d573727b6a287

Analysis

max time kernel
138s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea4e2d6c1f40313ffbae6e7bfbd02ffa76a02beef3862fd0706d573727b6a287.exe
Size

315KB
MD5

f0aa2f2bcb13af9aaacda835896b8df8
SHA1

638a34aecc5ff352d8b9c020fe8bb0074e3769e5
SHA256

ea4e2d6c1f40313ffbae6e7bfbd02ffa76a02beef3862fd0706d573727b6a287
SHA512

25d881e74be1a23c9e268b683710e92ba102c45fe9bd94512d59280e186e294a6be6034b8ef41f40449f6a176c111c28b71b1c9121947118ea87e6937ffac468
SSDEEP

3072:tEayFT/e9UVJnbatq749+f4auvZ7LC4ZR4mqmnKBstqBiPXPAPePdfVQ:zC/e9oatqI+stesMmG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djpnohej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcbnejem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibccic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfdida32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfhqbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclakimb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idofhfmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibccic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kilhgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipabjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eckonn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehhgfdho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jigollag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epopgbia.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoapbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkbnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpenfjad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Haggelfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfkoeppq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcgoilpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcggpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hbeghene.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmcdblq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaimbj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dagiil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljgidl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goiojk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hboagf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe

Executes dropped EXE 64 IoCs

pid	Process
3912	Dabpnlkp.exe
2972	Diihojkb.exe
2344	Dljqpd32.exe
4624	Dohmlp32.exe
2200	Dagiil32.exe
5064	Djpnohej.exe
5076	Domfgpca.exe
640	Dakbckbe.exe
804	Ehekqe32.exe
4936	Eckonn32.exe
2484	Efikji32.exe
2992	Ehhgfdho.exe
2584	Epopgbia.exe
2388	Eoapbo32.exe
216	Eflhoigi.exe
2724	Ejjqeg32.exe
2000	Ehlaaddj.exe
3928	Efpajh32.exe
3504	Ehonfc32.exe
4896	Eoifcnid.exe
1544	Fhajlc32.exe
1124	Fqhbmqqg.exe
2068	Fcgoilpj.exe
4020	Ffggkgmk.exe
680	Fmapha32.exe
1936	Fqmlhpla.exe
3024	Fbnhphbp.exe
1516	Fobiilai.exe
232	Fqaeco32.exe
5052	Gbcakg32.exe
3908	Gimjhafg.exe
3768	Gcbnejem.exe
3448	Gjlfbd32.exe
4744	Gmkbnp32.exe
4960	Goiojk32.exe
2984	Gcekkjcj.exe
2824	Gfcgge32.exe
916	Giacca32.exe
2264	Gmmocpjk.exe
1468	Gcggpj32.exe
2312	Gjapmdid.exe
2324	Gidphq32.exe
3524	Gpnhekgl.exe
540	Gcidfi32.exe
4336	Gfhqbe32.exe
2748	Gifmnpnl.exe
4200	Gameonno.exe
1644	Hclakimb.exe
400	Hboagf32.exe
3652	Hihicplj.exe
716	Hcnnaikp.exe
1152	Hfljmdjc.exe
1204	Hikfip32.exe
4980	Habnjm32.exe
2680	Hpenfjad.exe
1372	Hbckbepg.exe
3088	Hadkpm32.exe
3356	Hbeghene.exe
4252	Hippdo32.exe
2800	Haggelfd.exe
2052	Hcedaheh.exe
2232	Hfcpncdk.exe
3668	Haidklda.exe
392	Icgqggce.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Fbnhphbp.exe	Fqmlhpla.exe
File opened for modification	C:\Windows\SysWOW64\Goiojk32.exe	Gmkbnp32.exe
File created	C:\Windows\SysWOW64\Jigollag.exe	Jfhbppbc.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcidam.exe	Jpaghf32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ggmlbfpm.dll	Domfgpca.exe
File created	C:\Windows\SysWOW64\Hpenfjad.exe	Habnjm32.exe
File opened for modification	C:\Windows\SysWOW64\Jfhbppbc.exe	Jdjfcecp.exe
File created	C:\Windows\SysWOW64\Hadkpm32.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Iannfk32.exe	Ijdeiaio.exe
File created	C:\Windows\SysWOW64\Ppgjkamf.dll	Ehonfc32.exe
File created	C:\Windows\SysWOW64\Djmdfpmb.dll	Gcggpj32.exe
File created	C:\Windows\SysWOW64\Ghmfdf32.dll	Jaimbj32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Dljqpd32.exe	Diihojkb.exe
File opened for modification	C:\Windows\SysWOW64\Eoifcnid.exe	Ehonfc32.exe
File created	C:\Windows\SysWOW64\Fjkiobic.dll	Haidklda.exe
File created	C:\Windows\SysWOW64\Iidipnal.exe	Icgqggce.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Fcgoilpj.exe	Fqhbmqqg.exe
File opened for modification	C:\Windows\SysWOW64\Gimjhafg.exe	Gbcakg32.exe
File created	C:\Windows\SysWOW64\Gbcakg32.exe	Fqaeco32.exe
File created	C:\Windows\SysWOW64\Eddbig32.dll	Ipckgh32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lilanioo.exe
File created	C:\Windows\SysWOW64\Emhmioko.dll	Gmmocpjk.exe
File created	C:\Windows\SysWOW64\Phogofep.dll	Ibojncfj.exe
File created	C:\Windows\SysWOW64\Hmjdia32.dll	Hcnnaikp.exe
File opened for modification	C:\Windows\SysWOW64\Hadkpm32.exe	Hbckbepg.exe
File created	C:\Windows\SysWOW64\Gcekkjcj.exe	Goiojk32.exe
File opened for modification	C:\Windows\SysWOW64\Hbeghene.exe	Hadkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Efikji32.exe	Eckonn32.exe
File created	C:\Windows\SysWOW64\Jfhlfk32.dll	Fmapha32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Djpnohej.exe	Dagiil32.exe
File created	C:\Windows\SysWOW64\Ichhhi32.dll	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Dofqcl32.dll	Fqhbmqqg.exe
File opened for modification	C:\Windows\SysWOW64\Hfljmdjc.exe	Hcnnaikp.exe
File created	C:\Windows\SysWOW64\Impepm32.exe	Iidipnal.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Gdkdqfii.dll	ea4e2d6c1f40313ffbae6e7bfbd02ffa76a02beef3862fd0706d573727b6a287.exe
File created	C:\Windows\SysWOW64\Epopgbia.exe	Ehhgfdho.exe
File created	C:\Windows\SysWOW64\Adijolgl.dll	Gpnhekgl.exe
File created	C:\Windows\SysWOW64\Adakia32.dll	Hboagf32.exe
File created	C:\Windows\SysWOW64\Lijiaonm.dll	Hfcpncdk.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Fmapha32.exe	Ffggkgmk.exe
File created	C:\Windows\SysWOW64\Hihjpn32.dll	Fqmlhpla.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Dagiil32.exe	Dohmlp32.exe
File opened for modification	C:\Windows\SysWOW64\Hippdo32.exe	Hbeghene.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Gmmocpjk.exe	Giacca32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kbdmpqcb.exe
File opened for modification	C:\Windows\SysWOW64\Jaimbj32.exe	Jfdida32.exe
File created	C:\Windows\SysWOW64\Ffggkgmk.exe	Fcgoilpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7136	6988	WerFault.exe	267

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ea4e2d6c1f40313ffbae6e7bfbd02ffa76a02beef3862fd0706d573727b6a287.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibccic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcidfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmbklj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dljqpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iedonm32.dll"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhlfk32.dll"	Fmapha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gfhqbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjekdho.dll"	Jpjqhgol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cichoi32.dll"	Ehhgfdho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjmhmfd.dll"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoifcnid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emhmioko.dll"	Gmmocpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipegmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llebfo32.dll"	Fhajlc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djpnohej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ehekqe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffggkgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jigollag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohcepmcb.dll"	Ehlaaddj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkmdbdbp.dll"	Gfcgge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hadkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lihoogdd.dll"	Ifmcdblq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopeje32.dll"	Eflhoigi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadofijl.dll"	Gmkbnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epopgbia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkghl32.dll"	Gameonno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfcecp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cniohj32.dll"	Eckonn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjqhgol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dohmlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epopgbia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idofhfmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofqcl32.dll"	Fqhbmqqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipabjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dagiil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaemnhla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ea4e2d6c1f40313ffbae6e7bfbd02ffa76a02beef3862fd0706d573727b6a287.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 3912	4848	ea4e2d6c1f40313ffbae6e7bfbd02ffa76a02beef3862fd0706d573727b6a287.exe	83
PID 4848 wrote to memory of 3912	4848	ea4e2d6c1f40313ffbae6e7bfbd02ffa76a02beef3862fd0706d573727b6a287.exe	83
PID 4848 wrote to memory of 3912	4848	ea4e2d6c1f40313ffbae6e7bfbd02ffa76a02beef3862fd0706d573727b6a287.exe	83
PID 3912 wrote to memory of 2972	3912	Dabpnlkp.exe	84
PID 3912 wrote to memory of 2972	3912	Dabpnlkp.exe	84
PID 3912 wrote to memory of 2972	3912	Dabpnlkp.exe	84
PID 2972 wrote to memory of 2344	2972	Diihojkb.exe	85
PID 2972 wrote to memory of 2344	2972	Diihojkb.exe	85
PID 2972 wrote to memory of 2344	2972	Diihojkb.exe	85
PID 2344 wrote to memory of 4624	2344	Dljqpd32.exe	86
PID 2344 wrote to memory of 4624	2344	Dljqpd32.exe	86
PID 2344 wrote to memory of 4624	2344	Dljqpd32.exe	86
PID 4624 wrote to memory of 2200	4624	Dohmlp32.exe	89
PID 4624 wrote to memory of 2200	4624	Dohmlp32.exe	89
PID 4624 wrote to memory of 2200	4624	Dohmlp32.exe	89
PID 2200 wrote to memory of 5064	2200	Dagiil32.exe	90
PID 2200 wrote to memory of 5064	2200	Dagiil32.exe	90
PID 2200 wrote to memory of 5064	2200	Dagiil32.exe	90
PID 5064 wrote to memory of 5076	5064	Djpnohej.exe	91
PID 5064 wrote to memory of 5076	5064	Djpnohej.exe	91
PID 5064 wrote to memory of 5076	5064	Djpnohej.exe	91
PID 5076 wrote to memory of 640	5076	Domfgpca.exe	92
PID 5076 wrote to memory of 640	5076	Domfgpca.exe	92
PID 5076 wrote to memory of 640	5076	Domfgpca.exe	92
PID 640 wrote to memory of 804	640	Dakbckbe.exe	94
PID 640 wrote to memory of 804	640	Dakbckbe.exe	94
PID 640 wrote to memory of 804	640	Dakbckbe.exe	94
PID 804 wrote to memory of 4936	804	Ehekqe32.exe	95
PID 804 wrote to memory of 4936	804	Ehekqe32.exe	95
PID 804 wrote to memory of 4936	804	Ehekqe32.exe	95
PID 4936 wrote to memory of 2484	4936	Eckonn32.exe	96
PID 4936 wrote to memory of 2484	4936	Eckonn32.exe	96
PID 4936 wrote to memory of 2484	4936	Eckonn32.exe	96
PID 2484 wrote to memory of 2992	2484	Efikji32.exe	97
PID 2484 wrote to memory of 2992	2484	Efikji32.exe	97
PID 2484 wrote to memory of 2992	2484	Efikji32.exe	97
PID 2992 wrote to memory of 2584	2992	Ehhgfdho.exe	98
PID 2992 wrote to memory of 2584	2992	Ehhgfdho.exe	98
PID 2992 wrote to memory of 2584	2992	Ehhgfdho.exe	98
PID 2584 wrote to memory of 2388	2584	Epopgbia.exe	99
PID 2584 wrote to memory of 2388	2584	Epopgbia.exe	99
PID 2584 wrote to memory of 2388	2584	Epopgbia.exe	99
PID 2388 wrote to memory of 216	2388	Eoapbo32.exe	100
PID 2388 wrote to memory of 216	2388	Eoapbo32.exe	100
PID 2388 wrote to memory of 216	2388	Eoapbo32.exe	100
PID 216 wrote to memory of 2724	216	Eflhoigi.exe	101
PID 216 wrote to memory of 2724	216	Eflhoigi.exe	101
PID 216 wrote to memory of 2724	216	Eflhoigi.exe	101
PID 2724 wrote to memory of 2000	2724	Ejjqeg32.exe	102
PID 2724 wrote to memory of 2000	2724	Ejjqeg32.exe	102
PID 2724 wrote to memory of 2000	2724	Ejjqeg32.exe	102
PID 2000 wrote to memory of 3928	2000	Ehlaaddj.exe	103
PID 2000 wrote to memory of 3928	2000	Ehlaaddj.exe	103
PID 2000 wrote to memory of 3928	2000	Ehlaaddj.exe	103
PID 3928 wrote to memory of 3504	3928	Efpajh32.exe	104
PID 3928 wrote to memory of 3504	3928	Efpajh32.exe	104
PID 3928 wrote to memory of 3504	3928	Efpajh32.exe	104
PID 3504 wrote to memory of 4896	3504	Ehonfc32.exe	105
PID 3504 wrote to memory of 4896	3504	Ehonfc32.exe	105
PID 3504 wrote to memory of 4896	3504	Ehonfc32.exe	105
PID 4896 wrote to memory of 1544	4896	Eoifcnid.exe	106
PID 4896 wrote to memory of 1544	4896	Eoifcnid.exe	106
PID 4896 wrote to memory of 1544	4896	Eoifcnid.exe	106
PID 1544 wrote to memory of 1124	1544	Fhajlc32.exe	107

C:\Users\Admin\AppData\Local\Temp\ea4e2d6c1f40313ffbae6e7bfbd02ffa76a02beef3862fd0706d573727b6a287.exe
"C:\Users\Admin\AppData\Local\Temp\ea4e2d6c1f40313ffbae6e7bfbd02ffa76a02beef3862fd0706d573727b6a287.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\Dabpnlkp.exe
  C:\Windows\system32\Dabpnlkp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\SysWOW64\Diihojkb.exe
    C:\Windows\system32\Diihojkb.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SysWOW64\Dljqpd32.exe
      C:\Windows\system32\Dljqpd32.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\SysWOW64\Dohmlp32.exe
        
        C:\Windows\system32\Dohmlp32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
      - C:\Windows\SysWOW64\Dagiil32.exe
        
        C:\Windows\system32\Dagiil32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Djpnohej.exe
        
        C:\Windows\system32\Djpnohej.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Domfgpca.exe
        
        C:\Windows\system32\Domfgpca.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\SysWOW64\Dakbckbe.exe
        
        C:\Windows\system32\Dakbckbe.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Ehekqe32.exe
        
        C:\Windows\system32\Ehekqe32.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\Eckonn32.exe
        
        C:\Windows\system32\Eckonn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Efikji32.exe
        
        C:\Windows\system32\Efikji32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Ehhgfdho.exe
        
        C:\Windows\system32\Ehhgfdho.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Epopgbia.exe
        
        C:\Windows\system32\Epopgbia.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Eoapbo32.exe
        
        C:\Windows\system32\Eoapbo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Eflhoigi.exe
        
        C:\Windows\system32\Eflhoigi.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Ejjqeg32.exe
        
        C:\Windows\system32\Ejjqeg32.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Ehlaaddj.exe
        
        C:\Windows\system32\Ehlaaddj.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Efpajh32.exe
        
        C:\Windows\system32\Efpajh32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\Ehonfc32.exe
        
        C:\Windows\system32\Ehonfc32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Eoifcnid.exe
        
        C:\Windows\system32\Eoifcnid.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Fhajlc32.exe
        
        C:\Windows\system32\Fhajlc32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Fqhbmqqg.exe
        
        C:\Windows\system32\Fqhbmqqg.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Fcgoilpj.exe
        
        C:\Windows\system32\Fcgoilpj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\Ffggkgmk.exe
        
        C:\Windows\system32\Ffggkgmk.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Fmapha32.exe
        
        C:\Windows\system32\Fmapha32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Fqmlhpla.exe
        
        C:\Windows\system32\Fqmlhpla.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\Fbnhphbp.exe
        
        C:\Windows\system32\Fbnhphbp.exe
        28⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\Fobiilai.exe
        
        C:\Windows\system32\Fobiilai.exe
        29⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Windows\SysWOW64\Fqaeco32.exe
        
        C:\Windows\system32\Fqaeco32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\Gbcakg32.exe
        
        C:\Windows\system32\Gbcakg32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\Gimjhafg.exe
        
        C:\Windows\system32\Gimjhafg.exe
        32⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\Gcbnejem.exe
        
        C:\Windows\system32\Gcbnejem.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3768
        
        C:\Windows\SysWOW64\Gjlfbd32.exe
        
        C:\Windows\system32\Gjlfbd32.exe
        34⤵
        Executes dropped EXE
        
        PID:3448
        
        C:\Windows\SysWOW64\Gmkbnp32.exe
        
        C:\Windows\system32\Gmkbnp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Goiojk32.exe
        
        C:\Windows\system32\Goiojk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4960
        
        C:\Windows\SysWOW64\Gcekkjcj.exe
        
        C:\Windows\system32\Gcekkjcj.exe
        37⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\SysWOW64\Gfcgge32.exe
        
        C:\Windows\system32\Gfcgge32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Giacca32.exe
        
        C:\Windows\system32\Giacca32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:916
        
        C:\Windows\SysWOW64\Gmmocpjk.exe
        
        C:\Windows\system32\Gmmocpjk.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Gcggpj32.exe
        
        C:\Windows\system32\Gcggpj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\Gjapmdid.exe
        
        C:\Windows\system32\Gjapmdid.exe
        42⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\Gidphq32.exe
        
        C:\Windows\system32\Gidphq32.exe
        43⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\Gpnhekgl.exe
        
        C:\Windows\system32\Gpnhekgl.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3524
        
        C:\Windows\SysWOW64\Gcidfi32.exe
        
        C:\Windows\system32\Gcidfi32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Gfhqbe32.exe
        
        C:\Windows\system32\Gfhqbe32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Gifmnpnl.exe
        
        C:\Windows\system32\Gifmnpnl.exe
        47⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\Gameonno.exe
        
        C:\Windows\system32\Gameonno.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Hclakimb.exe
        
        C:\Windows\system32\Hclakimb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\Hboagf32.exe
        
        C:\Windows\system32\Hboagf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\Hihicplj.exe
        
        C:\Windows\system32\Hihicplj.exe
        51⤵
        Executes dropped EXE
        
        PID:3652
        
        C:\Windows\SysWOW64\Hcnnaikp.exe
        
        C:\Windows\system32\Hcnnaikp.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:716
        
        C:\Windows\SysWOW64\Hfljmdjc.exe
        
        C:\Windows\system32\Hfljmdjc.exe
        53⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\Hikfip32.exe
        
        C:\Windows\system32\Hikfip32.exe
        54⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Windows\SysWOW64\Habnjm32.exe
        
        C:\Windows\system32\Habnjm32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\Hpenfjad.exe
        
        C:\Windows\system32\Hpenfjad.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\Hbckbepg.exe
        
        C:\Windows\system32\Hbckbepg.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1372
        
        C:\Windows\SysWOW64\Hadkpm32.exe
        
        C:\Windows\system32\Hadkpm32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Hbeghene.exe
        
        C:\Windows\system32\Hbeghene.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\Hippdo32.exe
        
        C:\Windows\system32\Hippdo32.exe
        60⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\Haggelfd.exe
        
        C:\Windows\system32\Haggelfd.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2800
        
        C:\Windows\SysWOW64\Hcedaheh.exe
        
        C:\Windows\system32\Hcedaheh.exe
        62⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\Hfcpncdk.exe
        
        C:\Windows\system32\Hfcpncdk.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\Haidklda.exe
        
        C:\Windows\system32\Haidklda.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\Icgqggce.exe
        
        C:\Windows\system32\Icgqggce.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:392
        
        C:\Windows\SysWOW64\Iidipnal.exe
        
        C:\Windows\system32\Iidipnal.exe
        66⤵
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Impepm32.exe
        
        C:\Windows\system32\Impepm32.exe
        67⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\Ipnalhii.exe
        
        C:\Windows\system32\Ipnalhii.exe
        68⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\Ifhiib32.exe
        
        C:\Windows\system32\Ifhiib32.exe
        69⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\Ijdeiaio.exe
        
        C:\Windows\system32\Ijdeiaio.exe
        70⤵
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5100
        
        C:\Windows\SysWOW64\Ibojncfj.exe
        
        C:\Windows\system32\Ibojncfj.exe
        72⤵
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\Ijfboafl.exe
        
        C:\Windows\system32\Ijfboafl.exe
        73⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        74⤵
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Ipckgh32.exe
        
        C:\Windows\system32\Ipckgh32.exe
        75⤵
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Idofhfmm.exe
        
        C:\Windows\system32\Idofhfmm.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Ifmcdblq.exe
        
        C:\Windows\system32\Ifmcdblq.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Iikopmkd.exe
        
        C:\Windows\system32\Iikopmkd.exe
        78⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\Ipegmg32.exe
        
        C:\Windows\system32\Ipegmg32.exe
        79⤵
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\Ibccic32.exe
        
        C:\Windows\system32\Ibccic32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:2948
        
        C:\Windows\SysWOW64\Ijkljp32.exe
        
        C:\Windows\system32\Ijkljp32.exe
        81⤵
        
        PID:744
        
        C:\Windows\SysWOW64\Jaedgjjd.exe
        
        C:\Windows\system32\Jaedgjjd.exe
        82⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Jbfpobpb.exe
        
        C:\Windows\system32\Jbfpobpb.exe
        83⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        84⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Jpjqhgol.exe
        
        C:\Windows\system32\Jpjqhgol.exe
        85⤵
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Jfdida32.exe
        
        C:\Windows\system32\Jfdida32.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\Jaimbj32.exe
        
        C:\Windows\system32\Jaimbj32.exe
        87⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\Jdhine32.exe
        
        C:\Windows\system32\Jdhine32.exe
        88⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\Jjbako32.exe
        
        C:\Windows\system32\Jjbako32.exe
        89⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Jidbflcj.exe
        
        C:\Windows\system32\Jidbflcj.exe
        90⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\Jaljgidl.exe
        
        C:\Windows\system32\Jaljgidl.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:2508
        
        C:\Windows\SysWOW64\Jdjfcecp.exe
        
        C:\Windows\system32\Jdjfcecp.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5140
        
        C:\Windows\SysWOW64\Jfhbppbc.exe
        
        C:\Windows\system32\Jfhbppbc.exe
        93⤵
        Drops file in System32 directory
        
        PID:5204
        
        C:\Windows\SysWOW64\Jigollag.exe
        
        C:\Windows\system32\Jigollag.exe
        94⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5260
        
        C:\Windows\SysWOW64\Jmbklj32.exe
        
        C:\Windows\system32\Jmbklj32.exe
        95⤵
        Modifies registry class
        
        PID:5312
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        96⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\Jdmcidam.exe
        
        C:\Windows\system32\Jdmcidam.exe
        97⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\Jfkoeppq.exe
        
        C:\Windows\system32\Jfkoeppq.exe
        98⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5460
        
        C:\Windows\SysWOW64\Jkfkfohj.exe
        
        C:\Windows\system32\Jkfkfohj.exe
        99⤵
        Modifies registry class
        
        PID:5512
        
        C:\Windows\SysWOW64\Kmegbjgn.exe
        
        C:\Windows\system32\Kmegbjgn.exe
        100⤵
        Drops file in System32 directory
        
        PID:5572
        
        C:\Windows\SysWOW64\Kaqcbi32.exe
        
        C:\Windows\system32\Kaqcbi32.exe
        101⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\Kdopod32.exe
        
        C:\Windows\system32\Kdopod32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5688
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        103⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\Kgmlkp32.exe
        
        C:\Windows\system32\Kgmlkp32.exe
        104⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5772
        
        C:\Windows\SysWOW64\Kilhgk32.exe
        
        C:\Windows\system32\Kilhgk32.exe
        105⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5820
        
        C:\Windows\SysWOW64\Kacphh32.exe
        
        C:\Windows\system32\Kacphh32.exe
        106⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Kdaldd32.exe
        
        C:\Windows\system32\Kdaldd32.exe
        107⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\Kbdmpqcb.exe
        
        C:\Windows\system32\Kbdmpqcb.exe
        108⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\Kkkdan32.exe
        
        C:\Windows\system32\Kkkdan32.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5996
        
        C:\Windows\SysWOW64\Kinemkko.exe
        
        C:\Windows\system32\Kinemkko.exe
        110⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Kaemnhla.exe
        
        C:\Windows\system32\Kaemnhla.exe
        111⤵
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        112⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\Kbfiep32.exe
        
        C:\Windows\system32\Kbfiep32.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        114⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\Kipabjil.exe
        
        C:\Windows\system32\Kipabjil.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5396
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        116⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        117⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5568
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        118⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5700
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        119⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        120⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\Kgfoan32.exe
        
        C:\Windows\system32\Kgfoan32.exe
        121⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5884
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        122⤵
        Modifies registry class
        
        PID:5944
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        123⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6044
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        124⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        125⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5200
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        126⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5468
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5584
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        129⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5908
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        131⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        132⤵
        Modifies registry class
        
        PID:6092
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        133⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5308
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        134⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5440
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        135⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        136⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        137⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        138⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        139⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        140⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        141⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5916
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        142⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5520
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        143⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        144⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6252
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        146⤵
        Modifies registry class
        
        PID:6296
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        147⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        148⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6388
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        149⤵
        Drops file in System32 directory
        
        PID:6428
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        150⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        151⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        152⤵
        Modifies registry class
        
        PID:6564
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        153⤵
        Drops file in System32 directory
        
        PID:6600
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        154⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        155⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6728
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        156⤵
        Drops file in System32 directory
        
        PID:6776
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        157⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6824
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        158⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6868
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        159⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        160⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        161⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6996
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        162⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7040
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        163⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:7080
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        164⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:7128
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        165⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        166⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        167⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        168⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:6368
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        169⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        170⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        171⤵
        Modifies registry class
        
        PID:6496
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        172⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6584
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        173⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6676
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        174⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        175⤵
        Modifies registry class
        
        PID:6856
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        176⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:6924
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        177⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6988 -s 400
        178⤵
        Program crash
        
        PID:7136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6988 -ip 6988
1⤵
PID:7096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dabpnlkp.exe

Filesize
315KB

MD5
1153c7ce08c50b2edc2cba3e82d5f811

SHA1
ec3a3acd8f84f1f80edb40ecb628bfbf23532169

SHA256
c09c584f5414d1e45fc544f7e1c7e1cb5622397ffb67d9f1f3c5440d2e331be5

SHA512
da92e19599c22c53af75b511bed4b4456a7ed75fa748084d3b3138b9538ffb92b9353ee8842aea52dadf7e61c8b54e512ecc50e15868e3e5372bc0d09e474258

Download Submit
C:\Windows\SysWOW64\Dagiil32.exe

Filesize
315KB

MD5
a73099d5a2c5e5e252a0e9e614a8cbb7

SHA1
a30f3be8350faa363d94397f7d4c021d9f9031e1

SHA256
7c835456ec8a7e9007c77f0249e041661cc27fd397bee46f5a146ef1c3ac38d7

SHA512
1842d78f59e08a8dce856cca964e95f4931815ea7453ce08d1fd71445874150cff1ecb253b473d4802cd81604d01f139c88da91451c24eef9467446f036aadeb

Download Submit
C:\Windows\SysWOW64\Dakbckbe.exe

Filesize
315KB

MD5
e9051ca22655d3c38ce0940561f04316

SHA1
e356e474032d75eee61cc590ca40edce46d3dff3

SHA256
4979ae8c97b77f8d681e6c91983687556f5a6b1b03680c2944417b052a8d649c

SHA512
6c0a55e065bccaa541e5e51c994a9dba99473893b215ec86b55496060d72180230b74eaa579a330c32416fca95a02720c13c85f0ebaf577c103517643bb041c5

Download Submit
C:\Windows\SysWOW64\Diihojkb.exe

Filesize
315KB

MD5
45f108750bfba5619dcc852a410863d3

SHA1
2917ce2816ae7a4b9f6ac50198daf104f320476f

SHA256
c13920dc2d1581296fdbe19137531d72bf181a7184c3ee55514f31eea2e5d221

SHA512
64639da10e8fda8220af145aae155f45baf2a3d481b1326a49e1f85012b2b1c3d07cdab3fba6c1feb376ea091c6bd655659e1f26905472b4e2143c4dbf8e3f7c

Download Submit
C:\Windows\SysWOW64\Djpnohej.exe

Filesize
315KB

MD5
2bb3b8204755366bf71daaee31ec5da5

SHA1
ea7724fd688a373652c7040362842111fe25c45a

SHA256
bbc918bc706b50b77499e20de6cb6aae26c36cbe82c2da4731dbe928a638b16d

SHA512
edbb2efaae47c8b38e9b8462aa676ffb74e369cd8e5d9fe9e0eb73b253c265d59ff35ac9595dd1e04729e1c0f081d0b6248c621657aa9b41da18b27395df79a1

Download Submit
C:\Windows\SysWOW64\Dljqpd32.exe

Filesize
315KB

MD5
44037777a73ef3d6569ceef1e68d3734

SHA1
f0e1f06c58bed72a075a8632f0fa90aafe749b09

SHA256
a5ad46afb7642a8bb1f4f9df7d0934905e0879a031ecd5f6b604f7eadb5409b2

SHA512
5b59b318d9d8eb97f9ecdcd8e97f6b590d7ccaa90b1150e1faa952c43788c05515348ad21f392fbe6af03e0ea43f954c549379ae5c0f5f3f3bb1034251648c40

Download Submit
C:\Windows\SysWOW64\Dohmlp32.exe

Filesize
315KB

MD5
896cc8d2c8cf273a7177971a823407f0

SHA1
5144fcecdd752522bfcba0507f35bd105d21ceca

SHA256
84cfa67bfe81f1b4a039e66a06fc5968f73223e11cff0b3e2ca2d5342be0bb99

SHA512
b90befc136e350cc407d06c1c140d8560d5a863c4a89895a177b7ddbda475a29f736f527d3e9b5b3146915337fc34ad953c69da3c8cd83c758611e8849c66050

Download Submit
C:\Windows\SysWOW64\Domfgpca.exe

Filesize
315KB

MD5
5d69cd5e2840b0c22d6212641ff2f594

SHA1
c3566ac27e9e18fe684098110ba2873a57e62a3c

SHA256
9f50d7f842e022ac012e7e0fae1434cbb6c8fe5c0b6821255eaa7d2020ba5473

SHA512
9b3fbfed4862fd0540919a0902eb12e422ad25bf07df8a108eb9752a63f76f00af554a8a5b025edcfe6dea0b0e5caea144d0741445a4b42e8a2936722481a644

Download Submit
C:\Windows\SysWOW64\Eckonn32.exe

Filesize
315KB

MD5
f4588cbb63b6cce4b6a3a41069cd0fe8

SHA1
3ae71ed5c86a5c0697b5b188fc8f16da5cedaf92

SHA256
f87f20df5a73ba07506816893dfca071890f11e8c8344a1c87ab7ec6feecbab0

SHA512
f0e9e0c9ef978e2a4357d9d6ea473909b6c168d46db0d301cce95f2e2ac91032a7c85cb5db1e5fdf2fc141be145b3599d6f5f84ac4a09cab49c3c2703b8e4e59

Download Submit
C:\Windows\SysWOW64\Efikji32.exe

Filesize
315KB

MD5
47a9f60ff413dccf40edfea6a034d2ce

SHA1
ddef78bc00815b9d5cd9dddb33940b64a14ff793

SHA256
2125950d84645d6755b41b7412098217f129ac70d843568d550b38bacf71c2cf

SHA512
706ad286fe60839bb4ab9458e5cf8d54f4e1bd1f2abf1d2497a841753197834ed40c7fa0eeface2b9b1f973891023a333286c276936d6fef081b94ae71a6cfc8

Download Submit
C:\Windows\SysWOW64\Eflhoigi.exe

Filesize
315KB

MD5
e4543c5e0dae4f209b2acab020751e74

SHA1
2b5b477a4ef799afd8e87d21951f5480d6412132

SHA256
348d4fd757439213d23362b0d3be2300b33dd821d3882daea3a1e569457897a3

SHA512
5bba925eb22218a43b01216cf9ba028b987b42adc35d6a18e9d988dd2f170cc8936e3950057909cf8fd604cd2981de308f4b4ecd5352f3859f4ce0efe81378b1

Download Submit
C:\Windows\SysWOW64\Efpajh32.exe

Filesize
315KB

MD5
6aa4430b2190a6ce867b7171ce3d2129

SHA1
4253e69561af878b9f4560ae7ba13330310fea74

SHA256
f4538a742f32f49ef7c6ae614efd25504a4a39f47acea6b55dcc322e23ba7128

SHA512
346d6db65918c5b83d8358a93c449c5a859ed5da5d0043977dd5ebe48da6396c7010e83a3477e4cad0a3607bc59ac04a049aba1392a06f2af0d323ddb613135c

Download Submit
C:\Windows\SysWOW64\Ehekqe32.exe

Filesize
315KB

MD5
d8bd8e22d2809874f9b24c597e936f26

SHA1
21aaf5573799e7e0e8d0b860ca50f5d080444dd9

SHA256
9e90e1580dcfc9318df84896a27b88c52e9bb185427c01f1069b426fe992fe99

SHA512
926d4ddba8a5b4aa3dbaf86d593b59bc822d0fbe2018db9adf1d53c935b8ba46e1cb4cd879a3e724cc03f735db58a38b4b058822943e7e360d06c33b3e50afb5

Download Submit
C:\Windows\SysWOW64\Ehhgfdho.exe

Filesize
315KB

MD5
be6b0acc8f2d35534139f18f485faa2e

SHA1
fc84c1201aa72a11b017ac2e40172794848b0ed5

SHA256
5e519378395e6c1f54d6e2265c433fdb20aff16ec3cfac94ca7b889b22a3dc20

SHA512
11782deec45610464c27e667ab6981ba5e8aaad2c6afc4c5baab91a076fef5d7a09572446a29f15cc74f4e2ea266df1541a94036dba4970007ebba5dbb2c3520

Download Submit
C:\Windows\SysWOW64\Ehlaaddj.exe

Filesize
315KB

MD5
1cf8a3c6474f1562bbb8521f60988ee4

SHA1
488c8c784571e3bcae60cc50d7a6424a5eff0b44

SHA256
0cfa5480f88148a8f8a2450fec811c73e88a2864cdec24066d5867c8d240accb

SHA512
def0145a3d62a09df6e427b6903c13d014475e08693312208cb6b25ae1b266998dd1ce2813f3098a366b220cee075f33939f8025870cdc0f087b737745ac4de2

Download Submit
C:\Windows\SysWOW64\Ehonfc32.exe

Filesize
315KB

MD5
98bb4d71878a502d05f7cf40a1e2bc8f

SHA1
c4a0532365b2d3722aacf2028772ba90298dfd87

SHA256
3fe4908129e8769e643d2e543e92d7fa172a6aa10fd2559efc6abfbe57c63c4f

SHA512
0fb1b97769a072866cd69474f0c0c13fd3cd0dbba05816b77efd8c386f51da3df45e5ad71f9e581bc468b11ac8f6abee3b694106cab6e51d31236ecc6816a155

Download Submit
C:\Windows\SysWOW64\Ejjqeg32.exe

Filesize
315KB

MD5
f6db6f9d06a586e1c323b8681d4a22b2

SHA1
7d31e452b7a9b4fdad60488777de375e6d8d72ee

SHA256
cf6d44eaf2d3b1b7d2d5d1f329e5ab513a5982a715a544310c7e74bb5ae1f25a

SHA512
9ec265c767ca1936bf053c5c0da0e3868514b7277db54a5f34262be76ee2a85b67e963f845b154135416b73465b26708241cd0b8bcd33d7f9e9b6bc04860a731

Download Submit
C:\Windows\SysWOW64\Eoapbo32.exe

Filesize
315KB

MD5
5dfe8019c63861a11388146ada684956

SHA1
8249808db24386b66358f7f54478be8ba6f32ff4

SHA256
1da88611a212e2318bb5ef8284a53ff0e2f5e16dc437cf9eeb57c57fc9910a8c

SHA512
2d77dced68873c5ede0fbcfb629df053a86394642a949a71c7eacc3e23ed8458019df88c007ad2bd659c1b0de3400b6342c1ac6fc9aab839e8bf883073f4a8ed

Download Submit
C:\Windows\SysWOW64\Eoifcnid.exe

Filesize
315KB

MD5
a05071449f387eede737693399b7f273

SHA1
f890b7b68a058871df94b048972362fc5431b7cf

SHA256
3ebd30e228a367a1ca5da101e65e710e500818448b871efc6c5715c30268d429

SHA512
1f74f5805a865986f80ab03ad8ece9296785a4c3fab322dee268158855f048734e316c1dd70085f8b5d64136c53469b812e799d566d96a8632c88211100bb2d0

Download Submit
C:\Windows\SysWOW64\Epopgbia.exe

Filesize
315KB

MD5
97cbeeebd95c5dd77b2a1bb75a47595c

SHA1
5843852a61dd47409cb4e7fed0ceb77f04a977aa

SHA256
f0bdb5cf70cc894df7bdee106f19510fe905bbff7540d09b1df01ee84fa9166e

SHA512
0ac6f417595f6ce912d67b370b1a3eb8df9642e3b13b95b30a187a030eced04b1896ee48f94c21e252fc6787afeaf2adfe66811e0ce6c1e4a0edc120e2308ecd

Download Submit
C:\Windows\SysWOW64\Fbnhphbp.exe

Filesize
315KB

MD5
107e5b6c23bf48130b00e5ac06f77451

SHA1
96112f3f03fa559ac8c33e6728c948b9f3361737

SHA256
e48e8bd319457c8bc21e89e94ae3fe368d28ea7b1dcefac505c7e36ffd07bcdc

SHA512
d78d443b26fafde344e5a466fb12c9bd936b70bd028724fe6ebf4fa3c35e91c9207584eb5926883fde2a6bf2d7180c82a2b7928a0dddb966e6a6db095027e98e

Download Submit
C:\Windows\SysWOW64\Fcgoilpj.exe

Filesize
315KB

MD5
f394c392f459d147aba3695f6eb92d04

SHA1
6af4a738f7259cee996ca6d077703244b164de00

SHA256
1baa0807510e5f872e2ace35b1cffbfec241a0b6f589820f7b31d8d9ca905441

SHA512
d9cf85f3bfcc2492a2ae3ca8b0bc3a7c7ce6fd04533930147d4c032eded97248ebb3a04f6162af8bb8aa52619c4b174cf554e77c0268929df8fc378964bfb40f

Download Submit
C:\Windows\SysWOW64\Ffggkgmk.exe

Filesize
315KB

MD5
0cb7998af237bfd1d1de9e3b53f35bb9

SHA1
852b4d1259fe0aee1c4c7c8d271d56f271b1c85c

SHA256
d8d525d54a558a8f4d25d0d07d9180e5c0385146a227813e2172d28950b7890a

SHA512
e88b2bac04721bf2bea57da5b22a8326e8fbc7e4c435f8d4cb8b9aae17d1d2208afde7e82ef6846dde89a88cd12691fc02d82b16720d02bc1d5ae7f07496a27c

Download Submit
C:\Windows\SysWOW64\Fhajlc32.exe

Filesize
315KB

MD5
8664f9780bc99f38139854afdd4d32af

SHA1
f4ac8c78d42bfd09f6e471975ef160b5709e661a

SHA256
c569f666c103bc94445d289bb4f04e4aae431b8cc270ffd86fdcb1b58bd41288

SHA512
58e79ad4bcc6cfc2846ab3bc0cf4582cd94d3a5d71e96e11036637ad4ce1bc013a89e43b3ed8bd02df41b7bf37dd7c82cbdb7ae99942bc3842d2b26a9857dd61

Download Submit
C:\Windows\SysWOW64\Fmapha32.exe

Filesize
315KB

MD5
48bbd957baed1dffe2d5492fb0c11790

SHA1
df5fb6866a0e188517f4a0430408adb9c3406153

SHA256
268979977f0c5b83622bdb4eade0c589009fd705554359c07f95428ceae8d5dd

SHA512
6c175dcd52ff0e292f8e734e1e38511b42ecbf1f4dbc904916ff801c39c1f6eaa23d03254d711b89b0d9e022359f4d1bcb9e7493e65132b10ef61099583afc2f

Download Submit
C:\Windows\SysWOW64\Fobiilai.exe

Filesize
315KB

MD5
2015141d5079aa2b478ac3f1ca401db5

SHA1
405efa7471a4b47bde2577142cc7881994e53c13

SHA256
37343cb634e77fd170a3edb82f65fcc8d55d0c21de959032548cfbd0562e4c81

SHA512
156d7cb9548ef636bf52f867d1890a3d670bb28208477cab3848ac78f2cb6fb237c9f5a253c7805ea9f1e2c6c986bf75c01439dad821387c2bfef9f9ff259d81

Download Submit
C:\Windows\SysWOW64\Fqaeco32.exe

Filesize
315KB

MD5
6f5859c7f6bbdd56d3f4979665b77715

SHA1
300e080671e8ae0558ec38f2e33fb3f1f106ea3b

SHA256
3219fcfb5392d4a6b1b40b49f5c35380351ab7d5d8990af4d3e65650534b581f

SHA512
7d8330468d0a6e1bbb83cc9349e1059b681aa802e84e94f40611e1648f8af3aa581915bbeec80d8a3e39050b97b651ad75f55745882b42f971f74c723c04e138

Download Submit
C:\Windows\SysWOW64\Fqhbmqqg.exe

Filesize
315KB

MD5
51508345038c09b720fb3ff2b446c983

SHA1
60322df95c2460d772de02f2312e759ac4d09086

SHA256
9b005460de830b027fd7eff72aa02aaeffdf0563b2c88fe20d8ef9c5492c1e5b

SHA512
24c58ec673050726b1b647f07515867b8da531a18b613b1fddf70221feec6436f07cc5f5f63fe91ca54fabf23bdb0b4392972289a512fbc5599231b74b64d4dc

Download Submit
C:\Windows\SysWOW64\Fqmlhpla.exe

Filesize
315KB

MD5
24fd16185c6729f6cce8a369ed7642f6

SHA1
0a4b64f0429ab5584c21060f7093eccc5c38efd9

SHA256
971d4b05792069c8b166fc32d0f0c0f5c61202e342e56f6a3dfcb2b7f80afb95

SHA512
e3adddb37021f11ea10313add72f146d87b99209ee0c3bf1214341dbd814be485283d9cf734caee1103ad54ed0c3afdddefbe99e920dfbb53e36ed81568b928e

Download Submit
C:\Windows\SysWOW64\Gbcakg32.exe

Filesize
315KB

MD5
01a470135aef5a49da180ddcf8b8543c

SHA1
216f6e229e4c999397202b260b96c67fa5cafd4c

SHA256
997d22782a8cc89f3bbf9515f6de838bd51630b13891c2434c8f823bbab6f8fd

SHA512
e46c3258016e8ff4eb92d6da4d4a6693285d860310a0d666526006966dbcc0fb08dbda73f79dcb5cfdc3834a750872d9d22da1e977286ec15bc20d0a4d22f4af

Download Submit
C:\Windows\SysWOW64\Gcbnejem.exe

Filesize
315KB

MD5
fc43c42261b11fdd80401abb3d5c854f

SHA1
f64e9c92bef2a745859083beb38727f28321d111

SHA256
7e672cadbe57f39e98f6f96e15b1b6de03d706e8d0285ca337a0be38d6262acb

SHA512
9ff7168003fe5b2834779bf9adce985efed55925927506f01cf8521d9d2698f4b315e6994ab2e6eb2f518c53d09288f51f639597b135d2392e52b6f2a40d02ab

Download Submit
C:\Windows\SysWOW64\Gcggpj32.exe

Filesize
315KB

MD5
67a06c33f42949041917a474681262ea

SHA1
6e9e3a1895ee28efaf5d8ab9d5f1fd58fa93234e

SHA256
328bc73febcefeac15b956f675e10e577f331d058663bcbf8bdff2677cc4f3c0

SHA512
2bb872b8a74457cec75ea3ce3762e6b4b022a8038766b69b61e7d80abbf4857d4b0cc2e12c98b75b423aa90fe9c397b60a5f094500d59dbccfab52cab7a4943b

Download Submit
C:\Windows\SysWOW64\Gimjhafg.exe

Filesize
315KB

MD5
6ca508d3b0096c5bb270060974261e9f

SHA1
8127d9c58c667509538bb0530b69dd6a262c5acb

SHA256
dbe3556480ad4a32426c5fb582bab9b746ff4ed3b1e1dc1218bc3287dd7b795e

SHA512
1d97d1c462df27c721942daec21d9dcdb654c577cfe814c55ce35eb1b7f0ab197848d24132f3e3a0c99b5d01ac51be6b0da54e563afc410f0c8de7944f58f0a9

Download Submit
C:\Windows\SysWOW64\Hbeghene.exe

Filesize
315KB

MD5
7e84618ef6cc1ba7e831bde6b1e13545

SHA1
09ef04709002ab9facc7bd9b7c7a407e7694505b

SHA256
11a873f2c3b1d3d40dbf35987b4adf60878e03f30a80314ccbbcb30a7a21c69e

SHA512
933e9ee6c0eb3b286f114fd4e0ebe0f265454f090c07569caad629ccfb8c70a70a22dc9fe4780d02c1ae5804bc6b4dc48a6a42dfffef30c2199558ff9d341e9a

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
315KB

MD5
95de15f75bd56ac6f6db1fd7687b71ce

SHA1
4151e420e9260c2286bfdb8a338d13f8ce348bed

SHA256
35168d5e8f05de6a6060964b6a0fe4d57453cdda3647862b112c76bbc8825985

SHA512
e902ffb54b56f3530c38acdefb46370753173b0decc43a90ca1eddcf3ec483a3572f092b102709cde7e11b386d4d2547dc6a29eb156fa26b87520ad9c86535fc

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
315KB

MD5
bc395e980acdaa25984a463e6fe6ba2c

SHA1
3e93548986e36b1f9085af835895e51e769f5523

SHA256
b83fc1730d7d30bb2928eb898218a739804810fc7b8357ce23e1b8bcfac3b984

SHA512
0e3d594b31ee81401c0f0afb7238749ed87b584557332f00cd6c6092d5b572fbaf08168e778bda2f12bc50511a4c8f1870f0ddfb6a83cea04cab937ffd183680

Download Submit
C:\Windows\SysWOW64\Jfdida32.exe

Filesize
315KB

MD5
b8201c3a326e9b5b01b00069e63fc61a

SHA1
aca7eedbcc362bdb546d5664a823cfc33387c677

SHA256
4a336dc11d413f12035616309ec770ac2c1449d98b3a8f7f7ecb7b5f7007a1eb

SHA512
68daed91fda158a98e8c73e8d10f8707c62b61157b0ec4dd9224bd24465f0ddad8cd35a45396c7d597d88ffa15efaa7719ff85a724656375da3a4f693281d3f0

Download Submit
C:\Windows\SysWOW64\Jfhbppbc.exe

Filesize
315KB

MD5
927268df7d01c44421b0ee510d52e5ca

SHA1
3b07679b1df7be6d363b8280d889bae6acbbb042

SHA256
cc6cbb07df320623bed323b6d73dfc54d481451860301f8396d0ac872521cdee

SHA512
5e4ab25a16c857497288f45270cf8350bbcf158017ba267e1b0538aaef0ebb386245a46bbdc978b2cbc176910de2b2117dc8bc2021ba49d4f59e8d5284ee10b8

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
315KB

MD5
d0c9806a9d64b033577c4772ed2a34c5

SHA1
31acc617e390851344487f3a7164f9df1fc0c0ec

SHA256
48e978f4532fc1bba257a3b49fb093fdaab38b77fef016a4230fac64a87d4f66

SHA512
f270ed31d1bc7bf58fa6b4fb8c7b0a511c6c05fed805985a0c8f3c2a9bd6fa36f53fd07a2ea2d3823e1dd9307d7774fca0789ef2220741ed47426ae8899c1a37

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
315KB

MD5
817ea4aad97a5496ca0efc8047628b7f

SHA1
a81d0d59ce2759e6385dd0465ecdb6145aafc398

SHA256
141dd43113dc8c006062884bb24f8e166478bb2e49dda76b698284ed0714739a

SHA512
24244a05a9ebcfa0b94dfc139c926313f020cc864f6fc162dd5a699f478a00ec782307ac4d869f30eccb61cce98256ac438b3e4da4cef60eaaed00454bd9e493

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
315KB

MD5
c85f01c7290010a29df43f7ea300c4ad

SHA1
ac9164dce40f550897b6bd054ae0cdce155f9519

SHA256
5ab1f10d9cfc7b5901ce882d9bb96ac90f222f8e1d083959b4ed7458b0b99ad0

SHA512
77207385cfd01a9f9ceeaeba8e079ffb445ed916ff7d3f2d212e735f1ee3564df07b1e7635abf4ccfe375bcea2313c624ca5767a799795295c6fb04ea7369799

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
315KB

MD5
28dd0fa4989b4131e70dfbd93bde55a4

SHA1
a93e7863367460b2d0074d1b7b3ad67a32cd829e

SHA256
c50140f22afd6ed9c6d64edd5f543cffb3c6f53db67b17beafacdc2ce34a7bc9

SHA512
19a8f3f9425380ee5e75e9615dcbf62e72000cec21cf4610b6661511f3e01b02b84e8cbe9cdc613999cd0789e41e847ec5b81a16aa0a7b6d7dafaa4d6ba44fa9

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
315KB

MD5
979882872fe90bcdf154dd1f9de2ecc3

SHA1
8f9eeeefbc8fb2e548240cc60c7fa2b4c2c1372a

SHA256
b1646d92d5bd9f67d3ff3ac2d50db00ec5063e6cc9968b8d8b7142f6a349bdc8

SHA512
9b720560fd31b330551046bda2255296d291da87c9399fe941a9d8772c285dbcabb2ff5de152fd4010b95a32226a8da1cfda12c52df3a9569a19ee632b4e6c9f

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
315KB

MD5
e930306a2ce62a8c08bc7a6b62133aec

SHA1
d0647e3c4e66f67304a9ad25664ef0f6588e2e89

SHA256
724d118774667de87e0a2db8edc7e73c41c9c5e84da3a1d304bf99a7bd2aa1fe

SHA512
6bf4cb362b800efcda045927465537ac78039f720971d7f06c56fdd6de95daf5f982cec3e1672fed39c74179a57c536add904f19a9dd020710f226c75cd8b6d9

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
315KB

MD5
bbf67894f5af4a77938611b3e0b642fa

SHA1
5e3fddca67b78ebf6b47324d797a0ebe6e10a79d

SHA256
3c3acfe9d97f64aad5785d302e4ad0510daf72f0269eb56f45ea02b045118d1b

SHA512
eb840eae90dfdb2d2aafcba3dbf763e8b25f2827624922386d35c37cd4e7154d5f597ac5f0e8f35fe5a2f1f657de5499689695c7013b8971a356ed7000f5cbae

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
315KB

MD5
f72601b324568971dd01eff2094f04f0

SHA1
50d5d76ac637da27673609d9693804f300e9db79

SHA256
3e8680c83b6e17ec1f8f998a6c544d636a050abdefd41c3d01153ef73518ea37

SHA512
88ec14bc97592fbd65ab3dc5a68667cb59dbedbe195b333a3e23331f0bd2dbd66397c2905a4c813170bbdd729fc99e9512247b30d20e84ec48670885771497bd

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
315KB

MD5
966ef3d78e6671dc31a445fbfd84b36a

SHA1
f854093141a58b4a4887c87a5779bd7ea1d18e7d

SHA256
598e7129fa041931f2876a3709732fd5d5da5083c3f4b2166863af88b375dde0

SHA512
5f9cddfd1732229378f9371b162f96d249a71ec25688cafb3011c77b17e72f6837f26997f31bd5597ed936ee3f721736609c3bb6b0ff40872bb0a2f2dc893e82

Download Submit
memory/216-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/540-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/680-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/716-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1068-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1152-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1372-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1644-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-435-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2160-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-580-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-559-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-590-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3432-537-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3524-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3660-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3868-567-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3912-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4020-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-574-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4624-573-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4672-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-8-0x00007FFA18F70000-0x00007FFA19165000-memory.dmp

Filesize
2.0MB

Download
memory/4848-539-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-581-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5052-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-587-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5076-598-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6496-1203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6728-1230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads